Cybersecurity Governance Consulting for a Medical Device Manufacturer

Cybersecurity Governance Consulting for a Medical Device Manufacturer

Key challenges

Our customer is active in the healthcare sector with more than 3,300 employees worldwide, which operates in a variety of business areas, and in our case, in medical devices manufacturing. For each project and product released in a specific market or country, our customer needed to manage all aspects of cybersecurity and data protection regulations, through defined and compliant processes.

Every year, the American, Canadian, Australian, Japanese, and European markets have to undergo the Medical Device Single Audit Program (MDSAP) audit. The lack of a cybersecurity program in their quality management system linked to the ISO 13485 certification had resulted in an inability to pass the audit and endangered their accreditation to keep manufacturing medical devices.

In a context where cyber attacks are increasingly aimed at medical facilities and devices, there is a growing need to reassure customers that devices will not be entry points for potential hackers. This has led the customer to ask our support to bridge its security skill gap and help in the implementation of a cybersecurity governance program.

Our approach

A cybersecurity governance Subject Matter Expert was involved to manage the governance and processes. A technical cybersecurity SME coordinated these at a technical level to make sure they were appropriately put in place into the manufactured softwares and hardwares.

The steps to put in place a cybersecurity governance program implied:

With the help of our experts, our client was able to define, establish and implement all the activities and processes necessary for: risk management, compliance with the laws of various markets (Switzerland, Europe, USA, Canada, etc) and cybersecurity/data protection governance.

Standards and regulations such as NIST Framework, GDPR, FDA cybersecurity Guidance’s, HIPAA, MDR EU, MDCG, PIPEDA, ISO 2700X, etc were used and adequately executed.


While improving in a user-friendly way the security measures to address risks related to cybersecurity and data protection, our customer has developed an information security culture and behaviors throughout its activities and in the entire product life cycle of medical devices it manufactures.

Most importantly, our customer was able to define a cybersecurity and data protection strategy, establish and implement a cybersecurity Management System, and continuously ensure the correct management of all cybersecurity requirements through the organization, and worldwide.

Additionally, our Cybersecurity governance expert has been successfully been audited by the MDSAP as no non-conformity has been declared.