Colin Morgan is a key thought leader in the Healthcare Cybersecurity Industry, with over two decades of experience working in technology and cybersecurity. As Managing Director at Apraciti, Colin has helped various medical technology organizations build cybersecurity into their products, gain US FDA approval, and integrate cybersecurity with quality management systems.
Colin authored the cybersecurity chapter of the Global Medical Device Regulatory Strategy (second edition)1 book published by the Regulatory Area Professionals Society and co-author of the Medical Device and Health IT Joint Security Plan2, a voluntary framework for medical device cybersecurity released in 2019 by the US Healthcare and Public Health Sector Coordinating Council. Colin is also an expert trainer and facilitator for the US FDA driven Medical Device Innovation Consortium (MDIC) Medical Device & Diagnostic Threat Modeling Bootcamp training program.
Previously, Colin founded, developed, and led an industry leading Product Security Program at one of the largest healthcare companies in the world. As global leader and Head of Product Security, he helped develop and implement cybersecurity and quality processes, engineered medical devices for cybersecurity, performed security testing, and managed security vulnerabilities with security researchers.
Colin is a former Network & Security Engineer at the Central Intelligence Agency and contractor for a National Oceanic and Atmospheric Administrations’ supercomputing program. Throughout his career, Colin has accomplished the following:
- Built out Product Security Program Capabilities, including development and implementation of policies and processes and the integration with Quality Management Systems
- Provided Product Security Engineering support for products in development, including providing architecture reviews, threat models, documenting requirements, reviewing security test results, and supporting regulatory submissions
- Founded, developed and led a Product Security Program at one of the largest healthcare companies in the world, supporting Medical Devices, Healthcare Technology and Software as a Medical Device
- Built and led a team of Product Security Engineers, Product Security Penetration Testers and Product Security Incident Response Managers working to ensure Cybersecurity was part of the total product lifecycle
- Modified Medical Device Quality Management Systems to incorporate Cybersecurity from design and development through post market management, including regulatory compliance audit programs
- Participated in several industry efforts to improve Healthcare Cybersecurity, including Congressional Roundtables, US FDA Workshops, US DHS Tabletop Exercises and provided training on Product Cybersecurity to the US FDA, Canadian Government and Japanese Pharmaceutical and Medical Device Agency
- Current or former Member of several Medical Device Cybersecurity working groups including International Medical Device Regulators Forum, Healthcare Sector Coordinating Council, H-ISAC, AdvaMed and the Medical Device Manufacturers Association
- Recognized with the O’Reilly’s Security Defenders Award and Rapid7 Customer Award for efforts in partnering with the security research community on Vulnerability Disclosure
- Co-authored the Health Sector Medical Device and Health IT Joint Security Plan, released in 2019
- Member of the Medical Device Innovation Consortium (MDIC) Threat Modeling Bootcamp Training Program, funded and sponsored by US FDA in 2020
VIDEOS & DOWNLOADS :
Over the years Colin has spoken at a number of seminars and conferences and is considered one of the world's leading authorities on Medical Device Cybersecurity. We invite you to watch/download some of his past talks.
- Co-Author, Healthcare and Public Health Sector Joint Security Plan
- Author, Chapter 22, Cybersecurity; Global Medical Device Regulatory Strategy, Second Edition (RAPS)
- Interviewed and Quoted, technewsworld.com | Medical Device Insecurity: Diagnosis Clear, Treatment Hazy
- Interviewed and Quoted, jnj.com | 4 Ways Johnson & Johnson Is Leading the Fight Against Cyberattackers
- Interviewed and Quoted, financialtimes.com | Medical device makers wake up to cyber security threat
- Interviewed by Daniel Beard from MedISAO on the Medical Device Cybersecurity Purchasing Process
- Panel Presenter and Quoted, medtechintelligence.com | Moving Target: Playing Catch-Up in Cybersecurity
- Presenter and Quoted, njtechweekly.com | Internet of Medical Things Conference
US FDA Public Workshop (2019)
- Panel 1 – Legacy Learnings: Drag of the Past Driving Increased
- Resilience in the Future Panel 2 – Risk Assessment Approaches & Labeling
- For the “More Info” link use this –
AdvaMed Medical Device Cybersecurity Workshop (2019)
- Presentation/update on the Join Security Plan
- For the “More Info” link use this –
Archimedes Medical Device Security 101 Conference
- Provided a presentation titled OVERVIEW OF THE CYBERSECURITY BEST PRACTICES FOR HEALTHCARE PLAYBOOK
- Moderated a panel on Threat Modeling
- For the “More Info” link use this
- Participated in a panel discussion on Managing Cyber Risk for Life Sciences Technology
- For the “More Info link use this
Presentation w/ video, BSidesLasVegas, Spoke about Medical Device Cybersecurity
Keynote w/video, BioPharma Research Council Internet of Medical Thing Symposium
(Cybersecurity) Change Agent for Healthcare
MDIC Medical Device Threat Modeling Training
Trainer and facilitator for the training bootcamp provided to individuals from the medical device industry
Jon Litchfield is an experienced security architect and engineer committed to defending patients, products, and cloud systems from cyber threats. Jon has architected and engineered several healthcare technology devices, including medical devices, that continue to serve patients today. Jon has demonstrated success in Product and Information Security, Technology, Privacy, Risk Management, and business process improvement.
Jon has helped several medical device and healthcare companies implement regulatory compliance to international standards, certify their security programs, and improve their product’s ability to remain resilient to cyber threats. Jon has also lead entities through damaging security incidents, including malware, botnet infections, and data breaches.
These successes are not the result of working in isolation, but rather executed and delivered as a part of highly functioning teams, where Jon is comfortable as an experienced project manager and leader. This experience translates well to his ability to lead complex projects and process implementation related to new regulatory requirements and cybersecurity frameworks, such as NIST CSF, ISO 27001, Trust Services Criteria (SSAE SOC), HITRUST, GDPR, HIPAA, and other international data localization and data sovereignty requirements.
While capable in the regulatory space, Jon also enjoys working on technology too. He has experience in security testing and defense technologies, using frameworks such as OWASP, SANS, and NIST as well as tools such as FireEye, Qualysguard, Nessus, Nexpose, Veracode, SonarQube, FOSSA, Coverity, Burpsuite, Metasploit, SQLmap, nMap, manual exploitation techniques, as well as other tools. Jon brings a gamut of security experience that will assist you in protecting your IOT devices and Product Clouds.
- Led successful SOC2 Type 2 certification audits, HITRUST readiness assessments, FEDRAMP+ assessments, HIPAA Security Risk Assessments, and GDPR Privacy Impact Assessments for multiple medical device products and product clouds
- Team member of the MDS2:2019 Working Group that drove updates to the MDS2 medical device security disclosure form
- Managed web applications and cloud security programs across an international footprint, including regulatory and privacy law compliance
- Security architect and engineer on multiple medical devices, medical device data systems (MDDS), healthcare technology products, and product clouds in Azure and AWS that continue to serve patients today
- Received the 2016 ISACA Worldwide Achievement Award for conduct related to the Certified Information Security Manager (CISM) certification