Meet Colin

Industry Recognized Expert

Colin Morgan

Job Title: Managing Director

Certifications: CISSP, CISM, GPEN

Experience: 20 Years


Telephone: +1-215-613-9900


Colin Morgan is a key thought leader in the Healthcare Cybersecurity Industry, with over two decades of experience working in technology and cybersecurity. As Managing Director at Apraciti, Colin has helped various medical technology organizations build cybersecurity into their products, gain US FDA approval, and integrate cybersecurity with quality management systems.

Colin authored the cybersecurity chapter of the Global Medical Device Regulatory Strategy (second edition)1 book published by the Regulatory Area Professionals Society and co-author of the Medical Device and Health IT Joint Security Plan2, a voluntary framework for medical device cybersecurity released in 2019 by the US Healthcare and Public Health Sector Coordinating Council. Colin is also an expert trainer and facilitator for the US FDA driven Medical Device Innovation Consortium (MDIC) Medical Device & Diagnostic Threat Modeling Bootcamp training program.

Previously, Colin founded, developed, and led an industry leading Product Security Program at one of the largest healthcare companies in the world. As global leader and Head of Product Security, he helped develop and implement cybersecurity and quality processes, engineered medical devices for cybersecurity, performed security testing, and managed security vulnerabilities with security researchers.

Colin is a former Network & Security Engineer at the Central Intelligence Agency and contractor for a National Oceanic and Atmospheric Administrations’ supercomputing program. Throughout his career, Colin has accomplished the following:

  • Built out Product Security Program Capabilities, including development and implementation of policies and processes and the integration with Quality Management Systems
  • Provided Product Security Engineering support for products in development, including providing architecture reviews, threat models, documenting requirements, reviewing security test results, and supporting regulatory submissions
  • Founded, developed and led a Product Security Program at one of the largest healthcare companies in the world, supporting Medical Devices, Healthcare Technology and Software as a Medical Device
  • Built and led a team of Product Security Engineers, Product Security Penetration Testers and Product Security Incident Response Managers working to ensure Cybersecurity was part of the total product lifecycle
  • Modified Medical Device Quality Management Systems to incorporate Cybersecurity from design and development through post market management, including regulatory compliance audit programs
  • Participated in several industry efforts to improve Healthcare Cybersecurity, including Congressional Roundtables, US FDA Workshops, US DHS Tabletop Exercises and provided training on Product Cybersecurity to the US FDA, Canadian Government and Japanese Pharmaceutical and Medical Device Agency
  • Current or former Member of several Medical Device Cybersecurity working groups including International Medical Device Regulators Forum, Healthcare Sector Coordinating Council, H-ISAC, AdvaMed and the Medical Device Manufacturers Association
  • Recognized with the O’Reilly’s Security Defenders Award and Rapid7 Customer Award for efforts in partnering with the security research community on Vulnerability Disclosure
  • Co-authored the Health Sector Medical Device and Health IT Joint Security Plan, released in 2019
  • Member of the Medical Device Innovation Consortium (MDIC) Threat Modeling Bootcamp Training Program, funded and sponsored by US FDA in 2020


Over the years Colin has spoken at a number of seminars and conferences and is considered one of the world's leading authorities on Medical Device Cybersecurity. We invite you to watch/download some of his past talks.

01. Author

  • Co-Author, Healthcare and Public Health Sector Joint Security Plan

  • Author, Chapter 22, Cybersecurity; Global Medical Device Regulatory Strategy, Second Edition (RAPS)

02. Interviews

  • Interviewed and Quoted, | Medical Device Insecurity: Diagnosis Clear, Treatment Hazy

  • Interviewed and Quoted, | 4 Ways Johnson & Johnson Is Leading the Fight Against Cyberattackers

  • Interviewed and Quoted, | Medical device makers wake up to cyber security threat

  • Interviewed by Daniel Beard from MedISAO on the Medical Device Cybersecurity Purchasing Process

  • Panel Presenter and Quoted, | Moving Target: Playing Catch-Up in Cybersecurity

  • Presenter and Quoted, | Internet of Medical Things Conference

03. Presenter

US FDA Public Workshop (2019)

  • Panel 1 – Legacy Learnings: Drag of the Past Driving Increased
  • Resilience in the Future Panel 2 – Risk Assessment Approaches & Labeling
  • For the “More Info” link use this –

AdvaMed Medical Device Cybersecurity Workshop (2019)

  • Presentation/update on the Join Security Plan
  • For the “More Info” link use this –

Archimedes Medical Device Security 101 Conference

  • Moderated a panel on Threat Modeling
  • For the “More Info” link use this

Marsh Insurance

  • Participated in a panel discussion on Managing Cyber Risk for Life Sciences Technology
  • For the “More Info link use this

Presentation w/ video, BSidesLasVegas, Spoke about Medical Device Cybersecurity

Keynote w/video, BioPharma Research Council Internet of Medical Thing Symposium

(Cybersecurity) Change Agent for Healthcare

04. Trainer

MDIC Medical Device Threat Modeling Training

Trainer and facilitator for the training bootcamp provided to individuals from the medical device industry