I think you understand how important it is to protect medical devices. But what about the organization that makes the medical device?

Well, it has its own security requirements. European legislation such as NIS2 require that MDMs maintain a certain level of security. Plus on top of just following regulation, following basic cybersecurity practices improves the company's ability to withstand attacks and protect its intellectual property.

After all, if the Terchnical Files are public, what's to stop someone else to copy your device?

Karandeep and I go into what Manufacturers of Medical Devices should do. And cherry on top, most of these measures do not cost money, just a bit of planning. Future you will thank you for having put this work in.

Receive 1 actionable tip in your inbox every week: http://cyberdoctornotes.com

With a background in pharmaceutical and cosmetic science from De Montfort University, Badwal transitioned early into the medical device sector, holding key roles in regulatory affairs and quality management at companies such as Abbott and St. Jude Medical. His expertise includes ISO 13485, EU MDR, and software as a medical device (SaMD), and he shares valuable insights on LinkedIn and YouTube.

Karandeep's contact:

[email protected]

https://www.linkedin.com/in/karandeepbadwal/

If you liked the episode, please consider sharing it to one friend 💚

Securely yours,

Cyber Doctor

There's hundreds of tasks to do before releasing a medical device.

What if we could make one of them fun all while being more productive?

That's the idea that our guest Christoph Niehoff expanded upon. He created a card game that encourages players to have conversations around the security of the medical device.

Join us to understand the benefits of this approach, the rules of the game, and how to make it fit into your medical device organization.

In this enlightening episode, we explore how gamification transforms the often tedious process of threat modeling into an engaging team exercise. Christoph shares how his innovative card game bridges communication gaps between technical and non-technical stakeholders while producing more comprehensive security assessments.

Learn how this approach not only improves compliance documentation but also builds a stronger security culture within development teams. Whether you're a seasoned security professional or new to medical device development, you'll discover practical ways to implement this game-changing methodology in your own organization.

Don't miss this opportunity to turn security from a checkpoint into a collaborative adventure that yields better protected medical devices and more engaged teams.

Medical Devices need patching. Whether it's for functionality or security, devices must be able to be updated remotely.

But what about those devices that you cannot patch?

What are some things manufacturers can do still ensure security?

In this episode with guest Matthew Webster, we deepdive into cybersecurity of medical devices keeping in mind the perspective of hospitals.

Here are links to check out:

Connect with me: https://linkedin.com/in/mathieupeteau
Matthew's LinkedIn: https://www.linkedin.com/in/matthew-webster-2087a3/
Matthew's book: https://www.amazon.es/Harm-Protecting-Connected-Healthcare-Adversarial-ebook/dp/B0973SQ86N

Please consider sharing this with a medical device colleague 💚

Securely yours,

Cyber Doctor

Why reinvent the wheel?

Industry-leading experts have already paved the way for medical device security. By following established good practices, you can ensure the safety and integrity of your devices without unnecessary complexity.

My guest, Marina Daineko is a medical device industry expert, specializing in regulatory compliance and quality management. She helps manufacturers ensure patient safety and deliver high-quality products in a rapidly evolving healthcare landscape.

Actionable medical device tips: https://cyberdoctornotes.com

Marina's LinkedIn: https://www.linkedin.com/in/marinadaineko/

CISA and the FBI have released a report guiding Medical Device Manufacturers on how to code their devices securely.
At the top of the priority list is a new recommendation to phase out the use of C and C++ in medical device software. While these languages can be useful in certain circumstances, they significantly compromise the security of devices.

So, what can you do about it?

Efforts to improve the security aspects of these languages are already underway. However, they may not offer a complete solution. And while transitioning to newer languages like Rust is an option, it might render existing C/C++ libraries incompatible.

What’s the answer?

This episode solves the puzzle—and here's a spoiler: it involves strategic planning. With the first deadline set for January 2026 and final submissions scheduled by 2030, these guidelines are set to bring about significant changes.

My guest, Jacob Barkai, has over a decade of experience in application development and just as much expertise in tackling security challenges.

Connect with him on LinkedIn

If you like this episode, please share it with a friend 💚

Securely yours,

Cyber Doctor

Medical Devices are getting increasingly complex.

We're now dealing with interconnected medical devices with tens of inputs, dozens of connections, and a plethora of connections. How can you handle security in this context?

Threat modeling is the process recommended by the FDA in which you discover vulnerabilities, respond to risks, and analyze your work. It's done in a 4 question framework:

1. What are we working on?
2. What can go wrong?
3. What are we going to do about it?
4. Did we do a good job?

To guide us through the intricacies of threat modeling, we have a true luminary in the field, Adam Shostack. Adam is the author of "Threat Modeling: Designing for Security" and "Threats: What Every Engineer Should Learn from Star Wars." He’s a leading expert on threat modeling, a consultant, expert witness, and game designer. With decades of experience delivering security, Adam's insights range from founding startups to nearly a decade at Microsoft.

What you'll understand after listening to the episode:

1. Threat modeling is built on simple questions. Ask them early in development when changes are easier to make.
2. Visibility is key. Start with simple whiteboard sketches to get everyone on the same page before moving to more formal diagrams.
3. Focus on practical solutions. Sometimes, redesigning to avoid problems entirely is better than trying to calculate and mitigate specific risks.

Want to dive even deeper into threat modeling and medical device cybersecurity?

🔹 Stay up-to-date with the latest in medical device cybersecurity with my weekly newsletter at⁠⁠cyberdoctornotes.com⁠⁠

🔹 Explore Adam's groundbreaking work on threat modeling at ⁠shostack.org

🔹 Read Adam's latest bookon Amazon

Please share with a fellow medical device security pioneer!

Securely yours,Cyber Doctor

Everyone knows cybersecurity in medical devices is important. But how many knowhow to make secure devices?

Our two guests Jose Bohorquez and Mohamad Foustok are packed of experience in building medical devices and they share their best practices on how to do so.

Here are my top learnings from this one:

✦ Include cybersecurity from the start in architecture - have at least one security-savvy architect to avoid major reworks

✦ Minimize third-party dependencies - each additional library increases security risk and monitoring burden

✦ Match security controls to attacker incentives - attackers operate like businesses and won't spend more than potential gains

Want to become even more knowledgeable?

🔹 Get actionable advice on how to secure your medical devices every Thursday from my newslettercyberdoctornotes.com

🔹 Find out more about Jose and Mohamed's work in medical device software development & cybersecurity athttps://boldtype.com/

If you have 10 seconds to give my show a review I will be very happy!

Securely yours,

Cyber Doctor

To get us started on this journey, I invited one of the most influential medical device patients in the cybersecurity space. Veronica "Vee" Schmitt is an advocate for cybersecurity in medical devices. Veronica shares her personal journey from experiencing fainting spells at 19 to becoming fascinated with the security of medical devices.

Throughout this episode you'll learn about the surprising reality of being a medical device patient in cybersecurity:

Please give my show a review!

Securely yours,

Cyber Doctor

Hi Folks! This introduction episode is to present the Medical Device Cybersecurity Podcast and myself, your holt, Mathieu “Cyber Doctor” Peteau.

Since this episode might be the only one that focuses on me, I'll take advantage of this and your burning questions:
✔️ How I random events led me to medical device cybersecurity
✔️ Why I'm the Cyber Doctor?
✔️ How I left a top cybersecurity company to pursue Medical Device Cybersecurity?

🔹 Timestamps:

01:02 The podcast's mission

Are you passionate about medical device cybersecurity and have amazing ideas on how to improve it? Let’s talk!

Reach out to me at [email protected]

Resources Mentioned:
👋 My LinkedIn: linkedin.com/in/mathieupeteau

💡 Weekly actionable Medical Device Security advice: cyberdoctornotes.com

I can't wait to share the rest of the journey with you. In the meantime, if you could please subscribe and take a moment to leave a review, I would appreciate it very much.

All the best,

Your Cyber Doctor.