Insights

Field notes from the MedTech security trenches.

Deep dives on FDA expectations, threat modeling, penetration testing, SDLC, and the standards your team is being asked to meet.

Compliance· Jun 26, 2026

Does Section 524B Apply to My Auto-Injector?

Section 524B applies to a connected auto-injector when the device constituent has software and any electronic interface, regardless of whether CDER or CDRH leads review.

#Section 524B#Combination Products#Auto-Injector

Read article

Privacy· Jun 26, 2026

De-Identification vs Anonymization for Medical Devices: HIPAA, GDPR, FDA

How de-identification and anonymization differ for medical device data under HIPAA Safe Harbor, Expert Determination, GDPR, and FDA AI/ML expectations — and where teams get it wrong.

#HIPAA#De-Identification#Anonymization

Read article

Threat Modeling· Jun 25, 2026

TARA for Medical Devices: FDA Premarket Threat Analysis

How Threat Analysis and Risk Assessment (TARA) fits FDA premarket cybersecurity, AAMI TIR57, and ISO 14971 for medical device manufacturers in 2026.

#Threat Modeling#FDA Premarket#Risk Management

Read article

Risk Management· Jun 25, 2026

Design FMEA for Medical Devices: dFMEA, ISO 14971 & Cybersecurity

How to run a design FMEA (dFMEA) for a connected medical device, link it to the ISO 14971 risk file, and hand off cyber-triggered failure modes to the threat model the FDA expects.

#dFMEA#FMEA#ISO 14971

Read article

SPDF· Jun 25, 2026

CI/CD Security Gates for Medical Devices: SPDF in Practice

How to wire SAST, SBOM, secrets, container, and signature gates into a medical-device CI/CD pipeline so the SPDF produces the evidence FDA reviewers expect under the Feb 3, 2026 guidance.

#SPDF#CI/CD#DevSecOps

Read article

Compliance· Jun 23, 2026

FDA Cybersecurity Failure Consequences for Medical Devices

What happens if you fail an FDA cybersecurity inspection: the 483-to-consent-decree enforcement ladder and the commercial fallout for device makers.

#FDA#Postmarket#Enforcement

Read article

Compliance· Jun 23, 2026

Documenting Update Cadence for an FDA §524B Submission

How to document update cadence for an FDA §524B submission: the regular cycle and the out-of-cycle expedited path reviewers expect under §524B(b)(2)(B).

#Section 524B#Premarket#Patching

Read article

Compliance· Jun 23, 2026

Does FDA Section 524B Apply to Legacy Devices?

FDA Section 524B applies to any new premarket submission for a cyber device, including legacy platforms. What attaches, what postmarket rules cover the rest.

#Section 524B#Legacy Devices#Postmarket

Read article

SDLC· Jun 23, 2026

SPDF vs SSDLC: What Medtech Teams Get Wrong

SPDF vs SSDLC for medical devices. Why the FDA's Secure Product Development Framework demands more than a standard Secure SDLC, and what to add.

#Primer

Read article

Pricing· Jun 20, 2026

How Much Does Medical Device Cybersecurity Cost in 2026?

What medical device cybersecurity actually costs in 2026 - the four cost drivers, fixed-fee vs hourly pricing, premarket vs postmarket budget lines, and the cost of delay.

#Pricing#Budget#FDA

Read article

FDA· Jun 18, 2026

SPDF and IEC 62304 Mapping: FDA Cyber Guide

How SPDF activities map to IEC 62304 software lifecycle processes - the exact crosswalk FDA reviewers expect, where they overlap, and where 62304 falls short.

#SPDF#IEC 62304#FDA

Read article

Postmarket· Jun 18, 2026

H-ISAC and Where to Monitor Medical Device Cybersecurity Threats in 2026

The threat intelligence sources medical device manufacturers should monitor to satisfy FDA Section 524B postmarket obligations: H-ISAC, CISA KEV, ICS advisories, NVD, MITRE ATT&CK for ICS, and vendor PSIRTs.

#H-ISAC#Threat Intelligence#CISA KEV

Read article

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.