Medical Device Cybersecurity Podcast – Détails, épisodes et analyse

Medical Devices are getting increasingly complex.

We're now dealing with interconnected medical devices with tens of inputs, dozens of connections, and a plethora of connections. How can you handle security in this context?

Threat modeling is the process recommended by the FDA in which you discover vulnerabilities, respond to risks, and analyze your work. It's done in a 4 question framework:

1. What are we working on?
2. What can go wrong?
3. What are we going to do about it?
4. Did we do a good job?

To guide us through the intricacies of threat modeling, we have a true luminary in the field, Adam Shostack. Adam is the author of "Threat Modeling: Designing for Security" and "Threats: What Every Engineer Should Learn from Star Wars." He’s a leading expert on threat modeling, a consultant, expert witness, and game designer. With decades of experience delivering security, Adam's insights range from founding startups to nearly a decade at Microsoft.

What you'll understand after listening to the episode:

1. Threat modeling is built on simple questions. Ask them early in development when changes are easier to make.
2. Visibility is key. Start with simple whiteboard sketches to get everyone on the same page before moving to more formal diagrams.
3. Focus on practical solutions. Sometimes, redesigning to avoid problems entirely is better than trying to calculate and mitigate specific risks.

Want to dive even deeper into threat modeling and medical device cybersecurity?

🔹 Stay up-to-date with the latest in medical device cybersecurity with my weekly newsletter at⁠⁠cyberdoctornotes.com⁠⁠

🔹 Explore Adam's groundbreaking work on threat modeling at ⁠shostack.org

🔹 Read Adam's latest bookon Amazon

Please share with a fellow medical device security pioneer!

Securely yours,Cyber Doctor

Everyone knows cybersecurity in medical devices is important. But how many knowhow to make secure devices?

Our two guests Jose Bohorquez and Mohamad Foustok are packed of experience in building medical devices and they share their best practices on how to do so.

Here are my top learnings from this one:

✦ Include cybersecurity from the start in architecture - have at least one security-savvy architect to avoid major reworks

✦ Minimize third-party dependencies - each additional library increases security risk and monitoring burden

✦ Match security controls to attacker incentives - attackers operate like businesses and won't spend more than potential gains

Want to become even more knowledgeable?

🔹 Get actionable advice on how to secure your medical devices every Thursday from my newslettercyberdoctornotes.com

🔹 Find out more about Jose and Mohamed's work in medical device software development & cybersecurity athttps://boldtype.com/

If you have 10 seconds to give my show a review I will be very happy!

Securely yours,

Cyber Doctor

To get us started on this journey, I invited one of the most influential medical device patients in the cybersecurity space. Veronica "Vee" Schmitt is an advocate for cybersecurity in medical devices. Veronica shares her personal journey from experiencing fainting spells at 19 to becoming fascinated with the security of medical devices.

Having faced this situation first hand, she understands the struggles that patients go through.

Throughout this episode you'll learn about the surprising reality of being a medical device patient in cybersecurity: - Patients are scared of medical devices's cybersecurity risk fueled by the media. - Physicians are not trained on cybersecurity risk. - There are many risks to factor against benefits. Want to receive actionable advice on how to build more secure medical devices? Sign up to my newsletter at cyberdoctornotes.com

Find out more about Veronica: http://www.veronicaschmitt.com/

Get involved at the biohacking village: https://www.villageb.io/

Please give my show a review!

Securely yours,

Cyber Doctor

Hi Folks! This introduction episode is to present the Medical Device Cybersecurity Podcast and myself, your holt, Mathieu “Cyber Doctor” Peteau.

Since this episode might be the only one that focuses on me, I'll take advantage of this and your burning questions:
✔️ How I random events led me to medical device cybersecurity
✔️ Why I'm the Cyber Doctor?
✔️ How I left a top cybersecurity company to pursue Medical Device Cybersecurity?

🔹 Timestamps:

01:02 The podcast's mission 02:59 The Importance of Medical Device Cybersecurity 06:17 Introducing the Cyber Doctor 08:05 From Cyber Narratives to Medical Devices 10:38 My Journey in Cybersecurity 11:33 Excitement for the Future

Are you passionate about medical device cybersecurity and have amazing ideas on how to improve it? Let’s talk!

Reach out to me at mathieu@cyberclinic.io

Resources Mentioned:
👋 My LinkedIn: linkedin.com/in/mathieupeteau

💡 Weekly actionable Medical Device Security advice: cyberdoctornotes.com

I can't wait to share the rest of the journey with you. In the meantime, if you could please subscribe and take a moment to leave a review, I would appreciate it very much.

All the best,

Your Cyber Doctor.

The FDA is undergoing massive job cuts. Whether we like it or not, this will undoubtedly change the approval landscape of medical devices. And it already has.

My guest Etienne Nichols and I talk about the implications of these changes for Manufacturers and what they can do to remain competitive in this evolving landscape.

Etienne Nichols is an all around talent in Medical Devices. He started as a mechanical engineer and is now leading the community of Greenlight Guru with his podcast: the Gobal Medical Device Podcast. On it he welcomes guiests of all fields to share their knowledge on making better devices.

More ways to reach us:

https://www.linkedin.com/in/mathieupeteau/

https://www.linkedin.com/in/etiennenichols/

I have a newsletter with weekly tips on improving emdical device cybersecurity. You can find it here: http:// cyberdoctornotes.com

Episode timestamps:

00:00 FDA dismissals

01:51 About Etienne Nichols

04:09 Dismissal implications

07:28 Making better submissions

13:31 Improving Q&R

18:18 Predictions on submissions

21:12 MEDUFA

26:01 Secrecy in Medical Devices

28:48 AI for submissions

31:51 Best MDMs do this

Any questions or feedback I'm very happy to hear your thoughts: mathieu@cyberclinic.io

Securely yours,

Cyber Doctor

Healthcare institutions are the ones buying the medical device, ultimately. Yet, we don't often talk about their cybersecurity demands.

Our guest Christopher Frenz has spent most of his career protecting hospitals from cyber attacks. And it's not an easy task. While the landscape evolves every month, medical devices often stay the same for years, if not decade. How do these challenges manifest themselves? And what can a medical device manufacturer do about them?

Christopher is the author of many influential publications such as the OWASP Secure Medical Device Deployment Standard, the OWASP Anti-Ransomware Guide, and most recently the CSA Medical Device Incident Response Playbook.

Join me on this reality-check conversation where we dive into the other side of the medical device.

Securely yours,

Cyber Doctor

Today we're tackling some of the biggest questions around the EU regulations landscape in cybersecurity of medical devices.

Our guest is Elisabetta Biasin, a legal researcher specializing in cybersecurity, AI regulation, and EU laws. Elisabetta provides critical insights into the complex regulatory landscape facing medical device manufacturers implementing AI in Europe. She expertly breaks down how multiple frameworks—including the AI Act, MDR, NIS2, and GDPR—overlap and create compliance challenges, explains the specific cybersecurity requirements for AI systems under Article 15, and clarifies how data protection requirements extend beyond just personal data.

With real-world examples of potential cybersecurity vulnerabilities in medical devices like pacemakers, this episode delivers essential knowledge for manufacturers navigating the evolving European regulatory environment.

Want weekly actionable advice on medical device cybersecurity from yours truly? go here -> http://cyberdoctornotes.com

Elisabetta's profile:

https://mastodon.social/@bisilisib@eupolicy.social

https://www.linkedin.com/in/elisabetta-biasin-550a4711a/

elisabetta.biasin@kuleuven.be

Please share with a friend & rate the show 💚

Securely yours,

Cyber Doctor

I think you understand how important it is to protect medical devices. But what about the organization that makes the medical device?

Well, it has its own security requirements. European legislation such as NIS2 require that MDMs maintain a certain level of security. Plus on top of just following regulation, following basic cybersecurity practices improves the company's ability to withstand attacks and protect its intellectual property.

After all, if the Terchnical Files are public, what's to stop someone else to copy your device?

Karandeep and I go into what Manufacturers of Medical Devices should do. And cherry on top, most of these measures do not cost money, just a bit of planning. Future you will thank you for having put this work in.

Receive 1 actionable tip in your inbox every week: http://cyberdoctornotes.com

With a background in pharmaceutical and cosmetic science from De Montfort University, Badwal transitioned early into the medical device sector, holding key roles in regulatory affairs and quality management at companies such as Abbott and St. Jude Medical. His expertise includes ISO 13485, EU MDR, and software as a medical device (SaMD), and he shares valuable insights on LinkedIn and YouTube.

Karandeep's contact:

karandeep@qramedical.com

https://www.linkedin.com/in/karandeepbadwal/

If you liked the episode, please consider sharing it to one friend 💚

Securely yours,

Cyber Doctor

There's hundreds of tasks to do before releasing a medical device.

What if we could make one of them fun all while being more productive?

That's the idea that our guest Christoph Niehoff expanded upon. He created a card game that encourages players to have conversations around the security of the medical device.

Join us to understand the benefits of this approach, the rules of the game, and how to make it fit into your medical device organization.

In this enlightening episode, we explore how gamification transforms the often tedious process of threat modeling into an engaging team exercise. Christoph shares how his innovative card game bridges communication gaps between technical and non-technical stakeholders while producing more comprehensive security assessments.

Learn how this approach not only improves compliance documentation but also builds a stronger security culture within development teams. Whether you're a seasoned security professional or new to medical device development, you'll discover practical ways to implement this game-changing methodology in your own organization.

Don't miss this opportunity to turn security from a checkpoint into a collaborative adventure that yields better protected medical devices and more engaged teams.

Medical Devices need patching. Whether it's for functionality or security, devices must be able to be updated remotely.

But what about those devices that you cannot patch?

What are some things manufacturers can do still ensure security?

In this episode with guest Matthew Webster, we deepdive into cybersecurity of medical devices keeping in mind the perspective of hospitals.

Here are links to check out:

Connect with me: https://linkedin.com/in/mathieupeteau
Matthew's LinkedIn: https://www.linkedin.com/in/matthew-webster-2087a3/
Matthew's book: https://www.amazon.es/Harm-Protecting-Connected-Healthcare-Adversarial-ebook/dp/B0973SQ86N

Please consider sharing this with a medical device colleague 💚

Securely yours,

Cyber Doctor