For medical devices, like we build at Franklin.ai, there is even more complexity when you consider the use of AI, the drive to exceed global regulatory requirements and upholding the paramount importance of patient safety. This is enough work to absorb a whole battalion of cybersecurity personnel and product engineers!
So where do you start?
When establishing your product team, a cybersecurity role is probably not on your list of first recruits. However, the benefits of having this experience from the start, at ground zero, will become clear as you sprint towards the product launch goal.
Here at Franklin.ai we have taken significant strides in establishing a comprehensive and robust approach to cybersecurity risk management.
While this is a long road, these four key initiatives helped us at Franklin.ai to build strong cybersecurity foundations.
1. Establish a risk-conscious culture attuned to cybersecurity
There’s no question that one of the most powerful defences we possess against cyber-harm is the right organisational culture.
At ground zero, you can build the right mindsets within the teams from the beginning. We all love the phrase, “Cybersecurity is everyone’s responsibility.” but you must put that to work for you. Establishing key relationships across the product and organisational teams should be your primary objective. Reduce barriers, red tape, and support them in calling out risks. It must be a safe environment to speak up.
Teams should also understand that they are accountable for deliverables as part of the cyber-risk management program, so it’s great to establish that expectation up front and ensure this becomes part of the culture and each team’s day-to-day focus.
2. Regulators are friends, not foes!
While any cybersecurity initiative can be a hard sell, it’s even tougher when there’s pressure for teams to build and deliver a product within a tight timeline.
The good news for the cyber program is that regulatory bodies are increasingly aware of the risks and are actively promoting resilience against cyber harm. Global regulatory bodies, including the TGA (Therapeutic Goods Administration, Australia) and the FDA (Food and Drugs Administration, USA) are documenting these minimum requirements in the form of guidelines and formal requirements. These should be used to build your cyber roadmap. The added benefit of following these requirements is that they will also help to uplift your organisational cybersecurity maturity.
At the end of the day, when you come a-knockin’ for the regulatory clearance of your product, the regulator will want to see the depth of your cyber program and risk management procedures.
3. Define your architecture
When moving at pace, pivoting and changing designs, it can be difficult to build out your supporting documentation.
But as you lead the risk identification charge, it’s imperative to ensure you can effectively understand the end-to-end functionality of the product, the supporting technology, and system boundaries to visualise potential areas of risk. Living documents such as an SBOM (Software Bill of Materials) become very valuable assets and pave the way to establishing your risk and vulnerability management program.
4. Clear as mud
Your cyber expert must be able to articulate and translate requirements into a common language that can be understood across all product team members.
As you wade through the cyber objectives, you’ll find these are not limited to technical controls. You will need them to work with multiple teams to establish good practices, strong processes and clear procedural documents.
The most effective way to support your teams is to break these down into manageable pieces that can be integrated into team sprints. This approach allows the teams to take ownership and swift action, whilst also ensuring they understand the impact if any mistakes are made along the way.
If you’re looking at kicking off a new product soon, take a step back and think about the boxes you need to tick to ensure you can launch your product safely and securely. Get ahead of customer and regulatory expectations and build your risk controls and culture early!
By Colin MacDonald, Information Security Manager at Franklin.ai
Building the future
Franklin.ai aims to put ground-breaking AI tools in the hands of pathologists and benefit millions of patients every day. Learn more about the team behind the engineering excellence at franklin.ai.