Insights

Field notes from the MedTech security trenches.

Deep dives on FDA expectations, threat modeling, penetration testing, SDLC, and the standards your team is being asked to meet.

All (252)Fundamentals (72)FDA (57)Risk (39)IoT & Connected Devices (25)Standards (21)Testing (14)Pen Testing (13)Networking (6)AI & ML (5)Identity & Access (5)Lifecycle (5)Strategy (5)Cryptography (3)Quality (3)SBOM & Supply Chain (3)SDLC (3)Threat Modeling (3)FDA Compliance (1)Penetration Testing (1)Secure Architecture (1)

Showing 12 of 252 articles · Page 1 of 21

Secure Architecture· Jun 5, 2026

Secure Update Infrastructure for Medical Devices: A Safety-Critical Subsystem

How to design, isolate, and defend the update channel for connected medical devices - signed manifests, dual-bank A/B, rollback protection, HSM-backed signing, TUF/Uptane, and what the FDA expects in the submission.

#FDA #Section 524B #Secure Updates

Read article

FDA Compliance· Jun 4, 2026

Does Device Class Decide FDA Cybersecurity Requirements?

Class I, II, III doesn't decide your FDA cybersecurity burden. Section 524B's cyber-device test and whether you file a premarket submission do. Here's how it actually works.

#FDA #Section 524B #Device Classification

Read article

Penetration Testing· Jun 3, 2026

Does the FDA Accept AI Pen Testing for Medical Devices?

What the FDA's Feb 2026 premarket cybersecurity guidance says (and doesn't say) about AI-run penetration testing, where AI helps, where it fails a 524B.

#Penetration Testing #AI #FDA

Read article

FDA· Jun 3, 2026

FDA Cybersecurity Deficiencies in PMA Submissions: AI Requests, Major Deficiencies, and Complete Response Letters

How the FDA flags cybersecurity gaps in PMA submissions - RTF, Major Deficiency, Approvable, and Complete Response Letters for combination products - and how to respond.

#FDA #PMA #Deficiency Response

Read article

FDA· Jun 3, 2026

PMA Supplement vs Real-Time vs 30-Day Notice for Cybersecurity Changes

Which PMA submission type a cybersecurity change requires - 180-day supplement, Real-Time, Special, 30-day notice, or annual report - and the decision logic under Section 524B.

#FDA #PMA #Premarket

Read article

FDA· Jun 3, 2026

FDA Cybersecurity Major vs Minor Deficiency: How Reviewers Grade Findings

How the FDA distinguishes Major from Minor cybersecurity deficiencies in 510(k) and PMA reviews, the response-window difference, and how to keep findings out of the Major column.

#FDA #Deficiency Response #510(k)

Read article

FDA· Jun 3, 2026

De Novo Cybersecurity Requirements: What the FDA Expects

How cybersecurity expectations apply to De Novo submissions under Section 524B - SPDF, SBOM, threat model, testing - and where De Novo differs from 510(k) and PMA.

#FDA #De Novo #Premarket

Read article

Standards· Jun 3, 2026

IEC 81001-5-1 vs AAMI SW96: Which Standard for Your SPDF?

IEC 81001-5-1 vs AAMI SW96 compared side-by-side: scope, lifecycle vs risk focus, FDA recognition, and which to anchor your Secure Product Development Framework on.

#Standards #IEC 81001-5-1 #AAMI SW96

Read article

Pen Testing· Jun 3, 2026

CAN Bus and CANopen Vulnerabilities in Medical Devices

Where CAN/CANopen shows up inside medical devices, the attack paths FDA reviewers want modeled, and the controls that actually hold up under pen test.

#Pen Testing #Hardware #Threat Modeling

Read article

Pen Testing· Jun 3, 2026

Fuzz Harness Generation for Medical Devices: HL7, DICOM, BLE GATT, MQTT, CoAP, and Proprietary Binary Protocols

How to build FDA-defensible fuzz harnesses for the protocols medical devices actually speak. Per-protocol tooling, grammar sources, seed corpus strategy, coverage signal, and where AI helps (and where it doesn't).

#Pen Testing #Fuzzing #Protocols

Read article

Standards· Jun 3, 2026

CVSS 3.1 vs 4.0 for Medical Devices: Vector Strings, Scoring, and What FDA Reviewers Want

CVSS 3.1 vs 4.0 for medical devices compared - vector strings explained metric by metric, why 4.0's Safety and Automatable metrics matter for patient harm, and how to handle the transition in FDA submissions and postmarket VEX.

#CVSS #VEX #SBOM

Read article

FDA· Jun 2, 2026

FDA Penetration Testing Requirements for Medical Devices

What the FDA's Feb 2026 premarket guidance actually requires for medical device penetration testing - what's inside a real pen test, what's separate.

#FDA #Penetration Testing #Section 524B

Read article

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.

Book strategy session Explore services