Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    Editorial standards

    How the Goat Feed is built

    The Goat Feed is the MedTech cybersecurity feed of record. Every item links to a primary source. Every Notable or Critical item carries a short analyst note from Blue Goat Cyber Research. When we get something wrong, we log the correction publicly. This page documents exactly how that works.

    Sources → category mapping

    Every row in the feed traces back to one of these primary sources. Each card shows the ingest cadence, the scope we keep, which feed categories the source can populate, and how severity is decided.

    • Scope - Entries whose vendor/product/CVE text matches our MedTech vendor list or device-relevant software stack (operating systems, runtimes, comms libraries, common OT components).

      Feeds intoKEVCVE

      Severity - Always Critical - active in-the-wild exploitation by definition.

    • CISA ICS Medical Advisories (ICS-MA)RSS, ingested on publish

      Scope - Every ICS-MA advisory; no filtering. These are inherently device-relevant.

      Feeds intoGuidanceCVE

      Severity - Notable by default. Upgraded to Critical when paired with a KEV add or active exploitation.

    • FDA Medical Device Safety CommunicationsFirecrawl scrape, multiple times per day

      Scope - All safety communications; cyber-flagged items elevated.

      Feeds intoFDA

      Severity - Critical when the communication is cyber-flagged. Notable for material device safety issues with a cyber angle. Info otherwise.

    • openFDA Device RecallsDaily JSON pull, last 30 days by event_date_posted

      Scope - All device recall events; classification used to derive severity.

      Severity - Class I → Critical. Class II → Notable. Class III → Info. Recalls referencing firmware/software defects are tagged Software Quality.

    • Scope - Filtered to connected, software, AI/ML, or device categories with a known cyber surface (no purely mechanical clearances).

      Feeds intoMarket524B

      Severity - Info by default. Tagged 524B when the clearance falls under Section 524B cyber device scope (signal for future postmarket monitoring).

    • Scope - Adverse event reports with cyber-related keywords (unauthorized access, malware, ransomware, network outage, integrity failure, etc.) in narrative text.

      Severity - Notable when the report describes a confirmed cyber signal. Info for ambiguous software-quality reports flagged for review.

    • MHRA Drug & Device Alerts (UK)RSS, ingested on publish

      Scope - Field Safety Notices and National Patient Safety Alerts for medical devices.

      Severity - Notable for cyber-relevant FSNs. Info for general device alerts referenced for context.

    • Scope - Newly published CVEs whose CPE strings match our MedTech vendor list.

      Severity - Notable when CVSS ≥ 7.0 or EPSS percentile ≥ 90. Info otherwise. Upgraded to Critical on subsequent KEV add.

    • AAMI standards updatesManual review on publication

      Scope - New or revised TIR57, TIR97, SW68, SW96, and related MedTech security standards.

      Feeds intoGuidance

      Severity - Notable for new or revised standards with binding-by-reference impact. Info for drafts and committee notes.

    • IMDRF documentsManual review on publication

      Scope - International Medical Device Regulators Forum publications, including the IMDRF cybersecurity working group.

      Feeds intoGuidance

      Severity - Notable for final documents. Info for consultation drafts.

    Coverage roadmap: BfArM / ANSM / Swissmedic ingest, FDA 483 inspection findings, and deeper EPSS-driven CVE triage are scheduled additions. The legacy short-form sources list is preserved below for citation.

    Citation reference

    Direct links to the primary upstream feeds and endpoints we pull from, for citation and independent verification.

    Severity rubric

    Every item gets one of three severities at ingest. Severity is recomputed if the underlying signal changes (e.g. a CVE moves to KEV, a recall is upgraded).

    Critical
    • Active in-the-wild exploitation (CISA KEV add, public PoC + attack telemetry).
    • Class I recall (reasonable probability of serious adverse health consequences or death).
    • FDA Safety Communication flagged as cybersecurity-related.
    • Regulatory deadline shift inside 90 days (e.g. 524B enforcement change).
    Notable
    • CISA ICS Medical Advisory affecting a named device or platform.
    • Class II recall.
    • FDA Warning Letter on device, QSR (21 CFR 820), or cybersecurity grounds.
    • Newly disclosed CVE in a MedTech-relevant component (no in-the-wild evidence yet).
    Info
    • 510(k) clearance for a connected device (signal for future scope).
    • Class III recall.
    • General FDA medical device news without a cyber angle.

    The Blue Goat take

    The Blue Goat take is the analyst note that appears under Notable and Critical items. It is the editorial value-add that distinguishes this feed from a raw aggregator.

    • Only added to items at severity Notable or Critical. Routine recalls stay clean.
    • Drafted by an AI agent on ingest, then reviewed and edited by a Blue Goat Cyber analyst when material.
    • Marked Analyst edited when a human has overridden the AI draft.
    • Never invents CVE numbers, dates, FDA guidance versions, or vendor names. The model is grounded against the source excerpt and is rejected if it includes banned marketing language or em-dashes.

    Corrections policy

    Every material edit to a published item is logged with the field changed, the before and after, and the reason. Items with a logged correction show a Corrected badge. If you spot something wrong, tell us and we will correct it and credit you on request.

    Contact

    Source suggestions, corrections, and tips: research@bluegoatcyber.com.

    Get the Monday summary

    One short email each week

    Notable and critical items from the past seven days, with the Blue Goat take included.