Insights

Field notes from the MedTech security trenches.

Deep dives on FDA expectations, threat modeling, penetration testing, SDLC, and the standards your team is being asked to meet.

All (272)Browse by topic →Fundamentals (65)FDA (60)Risk (34)IoT & Connected Devices (24)Standards (21)Testing (12)Pen Testing (10)FDA Compliance (6)Networking (6)Strategy (6)AI & ML (5)Compliance (5)Lifecycle (5)Identity & Access (4)SBOM & Supply Chain (4)Threat Modeling (4)Penetration Testing (3)Postmarket (3)Quality (3)SDLC (3)Cryptography (2)International (2)Device Class (1)Interoperability (1)Risk Management (1)Secure Architecture (1)

Showing 12 of 272 articles · Page 1 of 23

FDA· Jun 18, 2026

SPDF and IEC 62304 Mapping: FDA Cyber Guide

How SPDF activities map to IEC 62304 software lifecycle processes - the exact crosswalk FDA reviewers expect, where they overlap, and where 62304 falls short.

#SPDF #IEC 62304 #FDA

Read article

Postmarket· Jun 18, 2026

H-ISAC and Where to Monitor Medical Device Cybersecurity Threats in 2026

The threat intelligence sources medical device manufacturers should monitor to satisfy FDA Section 524B postmarket obligations: H-ISAC, CISA KEV, ICS advisories, NVD, MITRE ATT&CK for ICS, and vendor PSIRTs.

#H-ISAC #Threat Intelligence #CISA KEV

Read article

Compliance· Jun 18, 2026

FDA Section 524B Explained Subsection by Subsection: What Each Requirement Means in 2026

A subsection-by-subsection walkthrough of FDA Section 524B for cyber medical devices: what 524B(a), (b)(1), (b)(2), (b)(3), (b)(4), and (c) require, what artifacts satisfy each, and the deficiency patterns reviewers flag most.

#Section 524B #FDA #Premarket

Read article

Compliance· Jun 18, 2026

CAPA and Medical Device Cybersecurity: Closing the Loop on Vulnerabilities and FDA Deficiencies

How to run CAPA for medical device cybersecurity findings: when a vulnerability or FDA deficiency triggers a CAPA, what evidence closes it, and how the QMSR loop ties to 524B postmarket obligations.

#CAPA #QMSR #FDA

Read article

Risk Management· Jun 18, 2026

FMEA vs Threat Modeling for Medical Devices: Where Safety Risk Ends and Security Risk Begins

FMEA covers random and systematic failure modes; threat modeling covers adversarial action. Both are required for a 524B submission, and they do not substitute for each other. Here is how to scope them, link them, and avoid the gap.

#FMEA #Threat Modeling #ISO 14971

Read article

Compliance· Jun 18, 2026

HHS 405(d) and Medical Device Manufacturers: What HICP Practice #9 Means for Your 524B Submission

How HHS 405(d) and the Health Industry Cybersecurity Practices (HICP) Medical Device Security practice maps to FDA Section 524B artifacts, and how manufacturers should align their premarket and postmarket programs to satisfy both reviewers and hospital procurement.

#HHS 405(d)#HICP #FDA

Read article

Pen Testing· Jun 15, 2026

FDA Pen Test Timing: How Recent Does Your Penetration Test Need to Be at Submission?

What the FDA's Feb 3, 2026 guidance expects for penetration test recency, version-match, post-change re-testing, and pre-submission remediation, plus when a delta re-test will do and when you need a full one.

#Penetration Testing #FDA #Section 524B

Read article

Compliance· Jun 14, 2026

HIPAA and Medical Device Manufacturers: What Cybersecurity Obligations Actually Apply

When HIPAA applies to medical device manufacturers, how the 2025 Security Rule NPRM raises the bar, and how HIPAA obligations intersect with the FDA's Feb 2026 premarket cybersecurity guidance.

#HIPAA #Business Associate #Compliance

Read article

Interoperability· Jun 13, 2026

EHR/EMR Integration for Medical Devices: Common Systems and Cybersecurity Risks

Which EHR and EMR systems medical devices connect to (Epic, Oracle Health, MEDITECH, Allscripts, athenahealth), the integration protocols (HL7, FHIR, DICOM), and the cybersecurity risks the FDA expects you to document.

#EHR #EMR #Interoperability

Read article

Postmarket· Jun 13, 2026

CISA KEV Catalog for Medical Devices: What It Is and How to Use It

What the CISA Known Exploited Vulnerabilities (KEV) catalog is, how medical device manufacturers should use it in SBOM/VEX triage, and how the FDA treats KEV-listed CVEs.

#CISA #KEV #SBOM

Read article

International· Jun 13, 2026

Health Canada Medical Device Cybersecurity: 2026 Requirements

How Health Canada regulates medical device cybersecurity in 2026: pre-market license expectations, MDEL obligations, and how to reuse an FDA Section 524B package.

#Health Canada #International #SBOM

Read article

Device Class· Jun 13, 2026

Infusion Pump Cybersecurity: FDA Expectations in 2026

What the FDA expects from infusion pump cybersecurity submissions in 2026: threat model focus areas, Section 524B evidence, and the deficiencies that delay clearance.

#Infusion Pumps #FDA #Section 524B

Read article

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.

Book strategy session Explore services