Deep dives on FDA expectations, threat modeling, penetration testing, SDLC, and the standards your team is being asked to meet.
Showing 12 of 360 articles · Page 2 of 30
Most 510(k) deficiencies don't fail on clinical data. They fail on cybersecurity. FDA reviewers are sending Additional Information (AI) requests, and outright Refuse-to-Accept (RTA) holds, at a rate that has become the primary timeline risk for connected device submissions. The documentation bar has
Read article
Device teams consistently make the same mistake with SPDF (Secure Product Development Framework) cybersecurity documentation: they treat it as a paperwork exercise and assemble artifacts at the end of development instead of generating them as engineering work happens. The result is a submission that
Read article
Performing a thorough cybersecurity risk analysis for a medical device isn't optional once your product qualifies under Section 524B of the FD&C Act. The FDA's 2026 cybersecurity guidance is direct: if your device meets the "cyber device" threshold, you must demonstrate reasonable assurance of cyber
Read article
Every premarket submission for a cyber device now legally requires a software bill of materials, and missing it can get your submission refused outright. Building a compliant medical device SBOM isn't optional under Section 524B of the FD&C Act, enforced since October 2023. This isn't a recommendati
Read article
What are the cybersecurity risks of legacy medical devices in hospitals? It's a question more hospital security teams are asking, and not finding easy answers to. Hospitals operate some of the most sophisticated care environments in the world: robotic surgery systems, real-time patient monitoring ne
Read article
Picture a seasoned enterprise CISO handed responsibility for a fleet of connected infusion pumps and networked imaging systems. They reach for familiar tools: EDR agents, patch managers, a NIST-aligned risk framework, and an annual compliance audit cycle. Within weeks, the tools don't install. The p
Read article
Many MedTech companies end up with the wrong cybersecurity vendor. Not because they don't care about security, and not because good options don't exist. They pick the wrong one because they don't know what separates a firm that has lived inside FDA submissions from one that handles enterprise IT and
Read article
Getting a 510k deficiency letter for cybersecurity is not a rejection. It is a specific, addressable request from the FDA that tells you exactly what documentation is missing or insufficient. At Blue Goat Cyber, we have guided device manufacturers through this situation repeatedly, and the pattern i
Read article
The FDA's February 2026 cybersecurity final guidance made one thing unmistakably clear: penetration testing is no longer something manufacturers can bolt on at the end of development. For cyber devices under Section 524B of the FD&C Act, it is a required, documented, and reviewable part of premarket submissio
Read article
The FDA's cybersecurity guidance for medical devices is no longer a best-practices document. Since March 29, 2023, it is an enforceable submission criterion. Fail to meet it, and your 510(k), PMA, or De Novo can be denied outright. That's not a hypothetical. It's the regulatory baseline device teams
Read article
Medical device cybersecurity is not a documentation exercise you complete before submission. It is a full lifecycle commitment that starts at the first design decision and runs through decommissioning, spanning every team that touches the product. The stakes are real: 53% of networked medical device
Read article
In this episode of The Med Device Cyber Podcast, host Trevor Slattery with guest Dr. Basant Bajpai, CEO of Compliance MedQar, delve into the crucial role of early Quality Management System (QMS) implementation for medical device manufacturers. Dr. Bajpai emphasizes that early ado
Read article30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.
