Episode 8 · January 7, 2025 · 30m listen · 473 words · ~2 min read

Startups, Regulations, & Risk: Insights from MedTech Guru Etienne Nichols | Ep. 7 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 8 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

This episode of The Med Device Cyber Podcast features Etienne Nichols, Head of Industry Insights and Education at Greenlight Guru, a company specializing in Quality Management Systems (QMS) for medical devices. Joined by Trevor, Director of Medical Device Cybersecurity at Blu Goat Cyber, the discussion provides valuable insights for product security teams, regulatory leads, and engineers. The conversation demystifies acronyms prevalent in MedTech, such as QMS, ISO 13485, and 21 CFR Part 820, and introduces the upcoming Quality Management System Regulation (QMR). Nichols emphasizes the critical role of a QMS in ensuring consistent, reliable, safe, and effective medical devices, especially for startups navigating regulatory landscapes. The episode delves into the importance of designing cybersecurity into medical devices from the outset, highlighting the interconnectedness of safety risk management (ISO 14971) and security risk management (TR57). Practical advice is offered on leveraging QMS for traceability, managing legal and ethical risks, and streamlining processes like Corrective and Preventive Actions (CAPA) in response to vulnerabilities. The speakers also address the challenges large companies face with inadequate documentation systems and the growing demand from hospitals for robust cybersecurity assurances.

Key takeaways from this episode

A Quality Management System (QMS) is crucial for medical device companies, regardless of size, to ensure consistent, reliable, safe, and effective products and to manage regulatory compliance.
Cybersecurity must be designed into medical devices from the initial development phase, not bolted on afterward, to ensure effective risk management and regulatory compliance.
Safety risk management (ISO 14971) and security risk management (TR57) are distinct but interconnected frameworks, and understanding their overlap is essential for comprehensive medical device security.
The Corrective and Preventive Action (CAPA) process within a QMS is vital for addressing identified vulnerabilities and preventing their recurrence, ensuring continuous improvement in product security.
Even if not explicitly required for initial FDA clearance, demonstrating robust internal cybersecurity practices and manufacturing environment security is increasingly important for market adoption, especially with hospitals.
Effective documentation control and traceability within a QMS are critical to avoid repeat work, legal risks, and to simplify audits by regulatory bodies like the FDA.

Full episode transcript

Hi, welcome to another episode of The Med Device Cyber Podcast. Today we have a guest from Greenlight Guru. We've got Etienne. Etienne works with Greenlight Guru and they specialize in Quality Management Systems. We also have Trevor, who you've seen before on our podcast. Trevor works for Blu Goat Cyber. He's our Director of Medical Device Cybersecurity, our in-the-weeds tech person who does a lot of the hacking and leads our hacking team. So, welcome to the podcast. Etienne, you want to introduce yourself a little more formally than I did? Absolutely, thank you so much for having me on. My name is Etienne Nichols. I'll tell you a little bit about what I do at Greenlight Guru. So, my position as the Head of Industry Insights and Education at Greenlight Guru means I get to talk to a lot of professionals such as yourself. I head up a lot of different articles and content that we produce and try to just add that insight to the industry. At Greenlight Guru, a lot of people look at us as a content provider in some ways, and in a lot of ways we are. Ultimately, the way we make money, I suppose, is to sell software solutions to the industry, and what we specialize in is quality management system and clinical investigation solutions. I've seen a lot of your podcasts, and you guys do create a lot of content. Well, it's good that you've seen it, at least. Hopefully, it's been helpful or beneficial in some way. It has, because when I first started doing this stuff, I didn't know what a QMS was or what ISO 13485 is. There's a lot of acronyms like QSR, QMS, 21 CFR 820. If you're new to MedTech, it can be super confusing because from cybersecurity, we have all these acronyms, and then combine that with MedTech, and then the FDA and the MDR. Those are acronyms within themselves. It becomes a very confusing space, plus then you have the medical acronyms that people use as well, so it's very acronym-rich. Even when the regulatory agencies themselves are an acronym, there's kind of a problem going on, an obsession with acronyms. And there's a new one coming on too, QMR. Which you mentioned ISO and the FDA's QSR, if you combine those, you've got QMR. That's what's coming next: Quality Management System Regulation from FDA. We could talk a little bit about that if you want, however you want to go, happy to go whatever trail you like. I think it would probably be useful just to establish a baseline and let people know from a high level what a QMS is and why they would even need one. A lot of our clients are startups, and they probably haven't even thought down the road like,