Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    Podcast · Episode 07

    Startups, Regulations, & Risk: Insights from MedTech Guru Etienne Nichols

    With MedTech leader - What are some of the key challenges MedTech companies face in balancing innovation with compliance? This episode dives into the intersection of quality management and cybersecurity in the MedTech industry.

    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Listen now

    Key takeaways

    • A Quality Management System (QMS) ensures consistent, reliable, safe, and effective medical devices through defined processes and procedures.
    • The FDA increasingly mandates that cybersecurity be integrated into medical device design, not merely added as an afterthought.
    • Implementing separate but connected risk management frameworks, such as ISO 14971 for safety and AAMI TIR57 for security, helps address both aspects comprehensively.
    • A CAPA (Corrective and Preventive Action) process, rooted in 21 CFR Part 820, addresses non-conformances or glitches by identifying root causes and implementing corrective actions to prevent recurrence.
    • Traceability within a QMS (Quality Management System) is crucial for managing legal, ethical, and economic risks, preventing repeated work and ensuring regulatory compliance.

    What are some of the key challenges MedTech companies face in balancing innovation with compliance?

    This episode dives into the intersection of quality management and cybersecurity in the MedTech industry. Hosts Christian Espinosa and Trevor Slattery are joined by Etienne Nichols, an expert from Greenlight Guru, who shares insights on regulatory compliance, risk management, and the importance of designing cybersecurity into medical devices.

    Key points:

    • The importance of building cybersecurity into medical devices from the design phase.

    • How quality management systems (QMS) streamline compliance and audits.

    • The role of ISO 13485 in MedTech and its differences from ISO 9001.

    • FDA’s growing focus on cybersecurity in regulatory submissions.

    • The economic risks of poor documentation and lack of traceability.

    • Best practices for startups in adopting right-sized QMS solutions.

    • The relationship between quality assurance (QA) and regulatory affairs (RA).

    • How risk management frameworks like ISO 14971 and TIR-57 intersect.

    • Why hospitals demand cybersecurity assessments before purchasing devices.

    Notable quotes

    “The FDA has been increasingly ratcheting down on cybersecurity, especially in the last 18 months or two years. They expect cybersecurity to be built into the medical device by design.”
    - Etienne Nichols
    “ISO 14971 is safety risk management. TIR57 covers security risk management. Having those two distinct processes in place is a good way to address safety and security in tandem.”
    - Trevor Slattery
    “A quality management system's biggest reasons is traceability. We focus on legal risk, regulatory, and then also the economical risks of having to do things over and over again.”
    - Etienne Nichols
    “If there is a new vulnerability identified, I would expect that to go through a CAPA process.”
    - Etienne Nichols

    Frequently asked questions

    Bring this work to your device

    Need help with fda premarket cybersecurity?

    Blue Goat Cyber delivers fda premarket cybersecurity services for medical device manufacturers - from threat modeling to FDA-ready reports.

    FDA Premarket Cybersecurity Services

    More on FDA Premarket Cybersecurity

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.