Medical Device Cybersecurity News & FDA Updates
The latest FDA guidance changes, vulnerability disclosures, and industry coverage that matter to medical device manufacturers - tracked and summarized for product, quality, and security teams.
What this roundup covers
Medical device cybersecurity moves fast. The FDA publishes new premarket and postmarket expectations, vulnerabilities are disclosed by CISA and ICS-CERT, and manufacturers learn the hard way through 510(k) holds and warning letters. This page consolidates what changed recently across four buckets: FDA and global regulatory updates, vulnerability disclosures, industry news, and analysis from the Blue Goat Cyber team.
For deeper coverage of any single topic, follow the linked pages. For a full timeline of regulatory action, see the Regulatory Tracker.
Latest FDA & global regulatory updates
-
EU Commission••Scheduled•Impact: High
EU Cyber Resilience Act becomes fully applicable
The CRA's core obligations - secure-by-design, SBOM, vulnerability handling, and 24-hour incident reporting - apply to products with digital elements placed on the EU market.
Read the regulatory update -
Red Hat••Scheduled•Impact: High
RHEL 7 Extended Life Support ends - legacy device fleets need a memo
RHEL 7 ELS reaches end of support on 30 June 2026. Devices that still ship or service with RHEL 7 need a compensating-controls memo in their postmarket file.
Read the regulatory update -
CISA••Active•Impact: High
CISA adds Linux kernel netfilter use-after-free to KEV (CVE-2026-0511)
A use-after-free in Linux kernel netfilter (CVE-2026-0511) was added to the Known Exploited Vulnerabilities catalog, affecting many embedded Linux device platforms.
Read the regulatory update -
CISA••Active•Impact: High
CISA adds widely embedded BLE pairing bypass to the KEV
CISA added a BLE pairing bypass affecting an embedded Bluetooth stack used across consumer and medical wearables to the Known Exploited Vulnerabilities catalog.
Read the regulatory update -
AAMI••Draft•Impact: Medium
ANSI/AAMI SW96 Amendment 1 draft circulated for member review
Draft amendment clarifies threat modeling traceability, security risk evaluation, and the relationship between SW96 and AAMI TIR57.
Read the regulatory update -
FDA••Active•Impact: Medium
FDA postmarket cybersecurity 'update letter' cadence increases
Blue Goat Cyber tracking shows a year-over-year jump in postmarket cybersecurity update letters citing missing CVD URLs, stale SBOMs, and lack of triage SLAs.
Read the regulatory update -
FDA••Active•Impact: High
FDA finalizes 2026 premarket cybersecurity guidance
FDA's 2026 final guidance replaces the 2023 document and sets binding expectations for SBOM, VEX, threat modeling, security testing, postmarket plans, and CVD for every cyber device submission.
Read the regulatory update -
FDA••Withdrawn•Impact: Medium
FDA 2023 premarket cybersecurity guidance superseded
The September 2023 premarket cybersecurity guidance is superseded by the February 3, 2026 final guidance. Citing the 2023 document in new submissions is now a stale reference.
Read the regulatory update
Industry news & coverage
From Blue Goat Cyber
-
Blue Goat Cyber Named Medical Device Cybersecurity Partner of the Year at MedTech World North America 2026 Awards
Blue Goat Cyber wins Medical Device Cybersecurity Partner of the Year at the inaugural MedTech World North America summit in Florida. WEST PALM BEACH , FL, UNITED STATES, May 17, 2026 /EINPresswire.com/ -- Blue Goat Cyber, a cybersecurity firm dedicated …
Read the full update -
Cybersecurity Top Reason The FDA Rejects Medical Device Submissions, Says Blue Goat Cyber's Christian Espinosa
FDA premarket rejections have surged since the February 2026 cybersecurity guidance. Espinosa speaks at MedTech World North America, May 11–13. WEST PALM BEACH, FL, UNITED STATES, May 10, 2026 /EINPresswire.com/ -- When the FDA finalized its updated …
Read the full update -
Blue Goat Cyber to Sponsor LSI USA ’26 at Waldorf Astoria Monarch Beach, Dana Point, CA
Director of Regulatory Affairs & Compliance, Jordan John, Leading Panel on Building Trust, Value, and Safety Through Strategic Cybersecurity DANA POINT, CA, UNITED STATES, February 18, 2026 /EINPresswire.com/ -- Blue Goat Cyber, a leading full- …
Read the full update -
Blue Goat Cyber to Serve as Title Sponsor at MedTech World Middle East 2026 in Dubai, February 11-13
Founder and CEO Christian Espinosa Will Join Panel on Data Governance and Patient Safety for Scalable HealthTech in the GCC DUBAI, UNITED ARAB EMIRATES, January 28, 2026 /EINPresswire.com/ -- Blue Goat Cyber, a leading full-service medical device …
Read the full update -
Blue Goat Cyber Wins ‘MedTech Service Provider Excellence Award of the Year’ at MedTech Malta 2025
Blue Goat Cyber Honored for Global Leadership in Medical Device Cybersecurity, Threat Modeling, and Secure-by-Design Innovation VALETTA, MALTA, November 16, 2025 /EINPresswire.com/ -- Blue Goat Cyber, a leading global provider of medical device …
Read the full update -
Blue Goat Cyber Named Gold Sponsor at MedTech World Malta 2025, Advancing FDA and EU MDR Cybersecurity Alignment
Blue Goat Cyber joins MedTech World Malta 2025 as Gold Sponsor, highlighting FDA & EU MDR cybersecurity compliance in MedTech. VALLETTA, MALTA, November 6, 2025 /EINPresswire.com/ -- Blue Goat Cyber, a U.S.-based leader in medical device …
Read the full update
Press coverage & expert commentary
-
Youtube•Mention
Why Cybersecurity in MedTech matters? Christian Espinosa ...
-
Youtube•Mention
Christian Espinosa, Blue Goat Cyber - Medical Device Security
-
Youtube•Interview
Christian Espinosa, Blue Goat Cyber – Studio Interview - YouTube
-
Youtube•Mention
Christian Espinosa on Medical Device Cybersecurity | LSI USA 2025
-
Facebook•Mention
What is Traditional versus Medical Device Cybersecurity ... - Facebook
-
X•Mention
Accelerating your medical device to market? FDA cybersecurity ...
-
Youtube•Mention
Medical Device Cybersecurity: Entry Points & Patient Safety - YouTube
-
Linkedin•Mention
Christian Espinosa's Post - LinkedIn
Background reading
Turn regulatory updates into a clear action plan.
Our medical device cybersecurity team helps manufacturers translate FDA guidance changes and vulnerability disclosures into concrete deliverables for 510(k), De Novo, and PMA submissions.