- Cybersecurity Governance
- Risk Management
- Cybersecurity Management System
- Medical Devices Standards & Regulations
Our customer is active in the healthcare sector with more than 3,300 employees worldwide, which operates in a variety of business areas, and in our case, in medical devices manufacturing. For each project and product released in a specific market or country, our customer needed to manage all aspects of cybersecurity and data protection regulations, through defined and compliant processes.
Every year, the American, Canadian, Australian, Japanese, and European markets have to undergo the Medical Device Single Audit Program (MDSAP) audit. The lack of a cybersecurity program in their quality management system linked to the ISO 13485 certification had resulted in an inability to pass the audit and endangered their accreditation to keep manufacturing medical devices.
In a context where cyber attacks are increasingly aimed at medical facilities and devices, there is a growing need to reassure customers that devices will not be entry points for potential hackers. This has led the customer to ask our support to bridge its security skill gap and help in the implementation of a cybersecurity governance program.
A cybersecurity governance Subject Matter Expert was involved to manage the governance and processes. A technical cybersecurity SME coordinated these at a technical level to make sure they were appropriately put in place into the manufactured softwares and hardwares.
The steps to put in place a cybersecurity governance program implied:
- Setting up the cybersecurity risk management process by identifying the regulatory requirements of the business area.
- Identifying the technical vulnerabilities (through penetration testing), non-compliance vulnerabilities; vulnerabilities linked to the context of the device (i.e. inside the hospital environment) and vulnerabilities associated to people (i.e device users, manufacturing staff, nursing staff).
- Linking the vulnerabilities related to cybersecurity risks and assessing them. We then determined which risks required urgent corrective action and deployed control measures to reduce them.
- Identifying the processes to put in place to set up a cybersecurity management system.
- Documenting processes and actions to justify the security and data protection level of the medical devices to the relevant country authorities and customers.
- Ensuring supplier conformity.
With the help of our experts, our client was able to define, establish and implement all the activities and processes necessary for: risk management, compliance with the laws of various markets (Switzerland, Europe, USA, Canada, etc) and cybersecurity/data protection governance.
Standards and regulations such as NIST Framework, GDPR, FDA cybersecurity Guidance’s, HIPAA, MDR EU, MDCG, PIPEDA, ISO 2700X, etc were used and adequately executed.
While improving in a user-friendly way the security measures to address risks related to cybersecurity and data protection, our customer has developed an information security culture and behaviors throughout its activities and in the entire product life cycle of medical devices it manufactures.
Most importantly, our customer was able to define a cybersecurity and data protection strategy, establish and implement a cybersecurity Management System, and continuously ensure the correct management of all cybersecurity requirements through the organization, and worldwide.
Additionally, our Cybersecurity governance expert has been successfully been audited by the MDSAP as no non-conformity has been declared.