Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO
Published May 2025 · Last reviewed May 2026
The Med Device Cyber Podcast · May 1, 2025 This episode of The Med Device Cyber Podcast features Etienne Nichols, Head of Industry Insights and Education at Greenlight Guru, a company specializing in Quality Management Systems (QMS) for medical devices. Joined by Trevor, Director of Medical Device Cybersecurity at Blu Goat Cyber, the discussion provides valuable insights for product security teams, regulatory leads, and engineers. The conversation demystifies acronyms prevalent in MedTech, such as QMS, ISO 13485, and 21 CFR Part 820, and introduces the upcoming Quality Management System Regulation (QMR).
Nichols emphasizes the critical role of a QMS in ensuring consistent, reliable, safe, and effective medical devices, especially for startups navigating regulatory landscapes. The episode delves into the importance of designing cybersecurity into medical devices from the outset, highlighting the interconnectedness of safety risk management (ISO 14971) and security risk management (TR57). Practical advice is offered on leveraging QMS for traceability, managing legal and ethical risks, and streamlining processes like Corrective and Preventive Actions (CAPA) in response to vulnerabilities. The speakers also address the challenges large companies face with inadequate documentation systems and the growing demand from hospitals for robust cybersecurity assurances.
Key Takeaways
- A Quality Management System (QMS) is crucial for medical device companies, regardless of size, to ensure consistent, reliable, safe, and effective products and to manage regulatory compliance.
- Cybersecurity must be designed into medical devices from the initial development phase, not bolted on afterward, to ensure effective risk management and regulatory compliance.
- Safety risk management (ISO 14971) and security risk management (TR57) are distinct but interconnected frameworks, and understanding their overlap is essential for comprehensive medical device security.
- The Corrective and Preventive Action (CAPA) process within a QMS is vital for addressing identified vulnerabilities and preventing their recurrence, ensuring continuous improvement in product security.
- Even if not explicitly required for initial FDA clearance, demonstrating robust internal cybersecurity practices and manufacturing environment security is increasingly important for market adoption, especially with hospitals.
- Effective documentation control and traceability within a QMS are critical to avoid repeat work, legal risks, and to simplify audits by regulatory bodies like the FDA.
Listen on mdcpodcast.com · Watch on YouTube
Listen to this episode
Want help applying this to your own device program?
Blue Goat Cyber is a specialist medical device cybersecurity firm: 250+ FDA submissions, zero rejections. If anything in this conversation hit close to home, book a 30-minute strategy session - no cost, no obligation.