Season 1 has been filled with wonderful conversations. I feel like I've learned so much about medical devices, cybersecurity, and entrepreneurship as a whole. Today we listen again to the most impactful moments from our conversations.
I also reflect on what these extract meant to me and what it means for you as a medical device manufacturer.
It's been awesome sharing my passion for medical device cybersecurity with you for a season! Thanks for being part of the journey.
Securely yours,
Cyber Doctor
AI is everywhere in Medical Devices. How do you manage documentation around them?
In this episode we are crossing the themes of documentation process and cybersecurity for AI-driven medical devices.
We answer questions like:
- What documentation process is expected from thr FDA and the EU's NBs?
- How to collaborate to build effective documentation?
- How to manage documentation debt?
Richie Christian is a seasoned medical device consultant with over a decade of experience in regulatory affairs, quality management, and market access for digital health technologies, including AI/ML-enabled software as a medical device (SaMD).
With a Master’s in neurophysiology from the University of Auckland and additional training in drug commercialization from UC San Diego, he has led regulatory initiatives at companies like Formus Labs, Aroa Biosurgery, and Fisher & Paykel Healthcare.
Now based in Switzerland, Richie advises MedTech firms at wega Informatik, helping them navigate regulatory pathways and implement robust quality systems for innovative healthcare software.
Thanks for listening, folks!
Securely your,
Cyber Doctor
We're back for part 2!
In this one we dive deeper in the topic of what it's like to lead cybersecurity at a hospital, the specifications that Manufacturers look for, and take a deeper dive into the controversial questions around cybersecurity.
Axel and Chist wrote a book together called Medical Device Cybersecurity for Engineers and Manufacturers, and recently published their second edition. If you'd like to buy it,, they've share their disount code that's available to use on the publisher's website.
Code: WIRTH25
More ways to follow:
https://www.linkedin.com/in/mathieupeteau/
https://www.linkedin.com/in/axelwirth/
https://www.linkedin.com/in/christopher-w-gates/
We're neating the end of the season with one more episode coming. After that we'll do a recap of all the learnings I've had in the 17 first episodes of the series. Be sure to subscibe/follow to be on the loop.
Securely yours,
Cyber Doctor
Widely regarded as the main contributors of the sharing of knowledge around medical device industry, Chris Gates and Axerl Wirth share their perspectives on what has changed in the past decade around medical device cybersecurity.
Thisepisode is agnostic of geography or legislation and includes learnings for all medical device engineers to get.
Axel and Chist wrote a book together called Medical Device Cybersecurity for Engineers and Manufacturers, and recently published their second edition. If you'd like to buy it,, they've share their disount code that's available to use on the publisher's website.
Code: WIRTH25
More ways to follow:
https://www.linkedin.com/in/mathieupeteau/
https://www.linkedin.com/in/axelwirth/
https://www.linkedin.com/in/christopher-w-gates/
The second part of the episode is coming out next week, folks. Can't wait to hear what you think of it!
Securely yours,
Cyber Doctor
Picking the right approach to look at risk is very important. Get it wrong and you're in for a denied submission.
MDR requires manufacturers to use the As Low as Possible Approach. And it ahs consequeces on the way we look at cybersecurity in general.
Our gest today is an all-around expert in medical devices. Tobor Zechmeister was a medical device entrepreneur, and now works as a consultant and an auditor in medical devices. His different perspectives make this episode unique in the angles of conversation it brings.
Through this episode you'll understand which method to choose to submit a device in Europe, how it differes from other risk management methodologies, and the implications it has on cyber as a whole.
Feel free to connect with us on our LinkedIn accounts:
https://www.linkedin.com/in/tibor-zechmeister/
https://www.linkedin.com/in/mathieupeteau/
Be sure to follow the podcast, we have some nice episodes coming, including a two part epsiode with the people I consider to be the Fathers of Medical Device Cybersecurity. Stay tuned.
Securely yours,
Cyber Doctor
There are somany standards for Medical Devices. Today we're taking a look at 2 of the most used in the cybersecurity space.
ISO 14971 is the main standard for managing risks in medical devices. It helps organizations find and control risks to improve device safety.
IEC 81001-5-1 focuses on managing cybersecurity risks in health software. It guides how to handle and reduce digital threats to medical IT systems.
Tune in to find out more on how these standards play against each other, and how you can use them to create safer medical devices that keep thriving on the market.
Securely yours,
Cyber Doctor
Can you imagine if we trusted that everyone who logs into a device? It would be chaotic. This is why we need to make sure the person logging in is indeed the person they say they are.
This is the process of authentication. And it's critical to get it right to ensure medical devices are protected.
Through this episode my ghuest and I talk about what it means to have a secure authentication process and what it looks like to implement a quality process in practice.
My guest Aaron Painter is a cybersecurity expert and CEO of Nametag Inc., where he develops advanced AI solutions to secure devices and prevent online impersonation and deepfakes. With a background in global tech leadership, Aaron specializes in protecting digital identities and making online interactions safer.
Feel free to connect with us on LinkedIn:https://linkedin.com/in/mathieupeteau/https://www.linkedin.com/in/aaronpainter/Aaron's company: https://getnametag.com/
Securely yours,
Cyber Doctor
The FDA is undergoing massive job cuts. Whether we like it or not, this will undoubtedly change the approval landscape of medical devices. And it already has.
My guest Etienne Nichols and I talk about the implications of these changes for Manufacturers and what they can do to remain competitive in this evolving landscape.
Etienne Nichols is an all around talent in Medical Devices. He started as a mechanical engineer and is now leading the community of Greenlight Guru with his podcast: the Gobal Medical Device Podcast. On it he welcomes guiests of all fields to share their knowledge on making better devices.
More ways to reach us:
https://www.linkedin.com/in/mathieupeteau/
https://www.linkedin.com/in/etiennenichols/
I have a newsletter with weekly tips on improving emdical device cybersecurity. You can find it here: http:// cyberdoctornotes.com
Episode timestamps:
00:00 FDA dismissals
01:51 About Etienne Nichols
04:09 Dismissal implications
07:28 Making better submissions
13:31 Improving Q&R
18:18 Predictions on submissions
21:12 MEDUFA
26:01 Secrecy in Medical Devices
28:48 AI for submissions
31:51 Best MDMs do this
Any questions or feedback I'm very happy to hear your thoughts: mathieu@cyberclinic.io
Securely yours,
Cyber Doctor
Healthcare institutions are the ones buying the medical device, ultimately. Yet, we don't often talk about their cybersecurity demands.
Our guest Christopher Frenz has spent most of his career protecting hospitals from cyber attacks. And it's not an easy task. While the landscape evolves every month, medical devices often stay the same for years, if not decade. How do these challenges manifest themselves? And what can a medical device manufacturer do about them?
Christopher is the author of many influential publications such as the OWASP Secure Medical Device Deployment Standard, the OWASP Anti-Ransomware Guide, and most recently the CSA Medical Device Incident Response Playbook.
Join me on this reality-check conversation where we dive into the other side of the medical device.
Securely yours,
Cyber Doctor
Today we're tackling some of the biggest questions around the EU regulations landscape in cybersecurity of medical devices.
Our guest is Elisabetta Biasin, a legal researcher specializing in cybersecurity, AI regulation, and EU laws. Elisabetta provides critical insights into the complex regulatory landscape facing medical device manufacturers implementing AI in Europe. She expertly breaks down how multiple frameworks—including the AI Act, MDR, NIS2, and GDPR—overlap and create compliance challenges, explains the specific cybersecurity requirements for AI systems under Article 15, and clarifies how data protection requirements extend beyond just personal data.
With real-world examples of potential cybersecurity vulnerabilities in medical devices like pacemakers, this episode delivers essential knowledge for manufacturers navigating the evolving European regulatory environment.
Want weekly actionable advice on medical device cybersecurity from yours truly? go here -> http://cyberdoctornotes.com
Elisabetta's profile:
https://mastodon.social/@bisilisib@eupolicy.social
https://www.linkedin.com/in/elisabetta-biasin-550a4711a/
Please share with a friend & rate the show 💚
Securely yours,
Cyber Doctor
I think you understand how important it is to protect medical devices. But what about the organization that makes the medical device?
Well, it has its own security requirements. European legislation such as NIS2 require that MDMs maintain a certain level of security. Plus on top of just following regulation, following basic cybersecurity practices improves the company's ability to withstand attacks and protect its intellectual property.
After all, if the Terchnical Files are public, what's to stop someone else to copy your device?
Karandeep and I go into what Manufacturers of Medical Devices should do. And cherry on top, most of these measures do not cost money, just a bit of planning. Future you will thank you for having put this work in.
With a background in pharmaceutical and cosmetic science from De Montfort University, Badwal transitioned early into the medical device sector, holding key roles in regulatory affairs and quality management at companies such as Abbott and St. Jude Medical. His expertise includes ISO 13485, EU MDR, and software as a medical device (SaMD), and he shares valuable insights on LinkedIn and YouTube.
If you liked the episode, please consider sharing it to one friend 💚
Securely yours,
Cyber Doctor
There's hundreds of tasks to do before releasing a medical device.
What if we could make one of them fun all while being more productive?
That's the idea that our guest Christoph Niehoff expanded upon. He created a card game that encourages players to have conversations around the security of the medical device.
Join us to understand the benefits of this approach, the rules of the game, and how to make it fit into your medical device organization.
In this enlightening episode, we explore how gamification transforms the often tedious process of threat modeling into an engaging team exercise. Christoph shares how his innovative card game bridges communication gaps between technical and non-technical stakeholders while producing more comprehensive security assessments.
Learn how this approach not only improves compliance documentation but also builds a stronger security culture within development teams. Whether you're a seasoned security professional or new to medical device development, you'll discover practical ways to implement this game-changing methodology in your own organization.
Don't miss this opportunity to turn security from a checkpoint into a collaborative adventure that yields better protected medical devices and more engaged teams.
Medical Devices need patching. Whether it's for functionality or security, devices must be able to be updated remotely.
But what about those devices that you cannot patch?
What are some things manufacturers can do still ensure security?
In this episode with guest Matthew Webster, we deepdive into cybersecurity of medical devices keeping in mind the perspective of hospitals.
Here are links to check out:
Connect with me: https://linkedin.com/in/mathieupeteau
Matthew's LinkedIn: https://www.linkedin.com/in/matthew-webster-2087a3/
Matthew's book: https://www.amazon.es/Harm-Protecting-Connected-Healthcare-Adversarial-ebook/dp/B0973SQ86N
Please consider sharing this with a medical device colleague 💚
Securely yours,
Cyber Doctor
Why reinvent the wheel?
Industry-leading experts have already paved the way for medical device security. By following established good practices, you can ensure the safety and integrity of your devices without unnecessary complexity.
My guest, Marina Daineko is a medical device industry expert, specializing in regulatory compliance and quality management. She helps manufacturers ensure patient safety and deliver high-quality products in a rapidly evolving healthcare landscape.
Actionable medical device tips: https://cyberdoctornotes.com
Marina's LinkedIn: https://www.linkedin.com/in/marinadaineko/
CISA and the FBI have released a report guiding Medical Device Manufacturers on how to code their devices securely.
At the top of the priority list is a new recommendation to phase out the use of C and C++ in medical device software. While these languages can be useful in certain circumstances, they significantly compromise the security of devices.
So, what can you do about it?
Efforts to improve the security aspects of these languages are already underway. However, they may not offer a complete solution. And while transitioning to newer languages like Rust is an option, it might render existing C/C++ libraries incompatible.
What’s the answer?
This episode solves the puzzle—and here's a spoiler: it involves strategic planning. With the first deadline set for January 2026 and final submissions scheduled by 2030, these guidelines are set to bring about significant changes.
My guest, Jacob Barkai, has over a decade of experience in application development and just as much expertise in tackling security challenges.
If you like this episode, please share it with a friend 💚
Securely yours,
Cyber Doctor
Medical Devices are getting increasingly complex.
We're now dealing with interconnected medical devices with tens of inputs, dozens of connections, and a plethora of connections. How can you handle security in this context?
Threat modeling is the process recommended by the FDA in which you discover vulnerabilities, respond to risks, and analyze your work. It's done in a 4 question framework:
To guide us through the intricacies of threat modeling, we have a true luminary in the field, Adam Shostack. Adam is the author of "Threat Modeling: Designing for Security" and "Threats: What Every Engineer Should Learn from Star Wars." He’s a leading expert on threat modeling, a consultant, expert witness, and game designer. With decades of experience delivering security, Adam's insights range from founding startups to nearly a decade at Microsoft.
What you'll understand after listening to the episode:
Want to dive even deeper into threat modeling and medical device cybersecurity?
🔹 Stay up-to-date with the latest in medical device cybersecurity with my weekly newsletter atcyberdoctornotes.com
🔹 Explore Adam's groundbreaking work on threat modeling at shostack.org
🔹 Read Adam's latest bookon Amazon
Please share with a fellow medical device security pioneer!
Securely yours,Cyber Doctor
Everyone knows cybersecurity in medical devices is important. But how many knowhow to make secure devices?
Our two guests Jose Bohorquez and Mohamad Foustok are packed of experience in building medical devices and they share their best practices on how to do so.
Here are my top learnings from this one:
✦ Include cybersecurity from the start in architecture - have at least one security-savvy architect to avoid major reworks
✦ Minimize third-party dependencies - each additional library increases security risk and monitoring burden
✦ Match security controls to attacker incentives - attackers operate like businesses and won't spend more than potential gains
Want to become even more knowledgeable?
🔹 Get actionable advice on how to secure your medical devices every Thursday from my newslettercyberdoctornotes.com
🔹 Find out more about Jose and Mohamed's work in medical device software development & cybersecurity athttps://boldtype.com/
If you have 10 seconds to give my show a review I will be very happy!
Securely yours,
Cyber Doctor
To get us started on this journey, I invited one of the most influential medical device patients in the cybersecurity space. Veronica "Vee" Schmitt is an advocate for cybersecurity in medical devices. Veronica shares her personal journey from experiencing fainting spells at 19 to becoming fascinated with the security of medical devices.
Having faced this situation first hand, she understands the struggles that patients go through.
Throughout this episode you'll learn about the surprising reality of being a medical device patient in cybersecurity: - Patients are scared of medical devices's cybersecurity risk fueled by the media. - Physicians are not trained on cybersecurity risk. - There are many risks to factor against benefits. Want to receive actionable advice on how to build more secure medical devices? Sign up to my newsletter at cyberdoctornotes.com
Find out more about Veronica: http://www.veronicaschmitt.com/
Get involved at the biohacking village: https://www.villageb.io/
Please give my show a review!
Securely yours,
Cyber Doctor
Hi Folks! This introduction episode is to present the Medical Device Cybersecurity Podcast and myself, your holt, Mathieu “Cyber Doctor” Peteau.
Since this episode might be the only one that focuses on me, I'll take advantage of this and your burning questions:
✔️ How I random events led me to medical device cybersecurity
✔️ Why I'm the Cyber Doctor?
✔️ How I left a top cybersecurity company to pursue Medical Device Cybersecurity?
🔹 Timestamps:
01:02 The podcast's mission 02:59 The Importance of Medical Device Cybersecurity 06:17 Introducing the Cyber Doctor 08:05 From Cyber Narratives to Medical Devices 10:38 My Journey in Cybersecurity 11:33 Excitement for the Future
Are you passionate about medical device cybersecurity and have amazing ideas on how to improve it? Let’s talk!
Reach out to me at mathieu@cyberclinic.io
Resources Mentioned:
👋 My LinkedIn: linkedin.com/in/mathieupeteau
💡 Weekly actionable Medical Device Security advice: cyberdoctornotes.com
I can't wait to share the rest of the journey with you. In the meantime, if you could please subscribe and take a moment to leave a review, I would appreciate it very much.
All the best,
Your Cyber Doctor.
