Monitoring & Patch Cadence Calculator

Three inputs - risk class, connectivity, PHI sensitivity - return the monitoring, patching, and reporting cadence FDA postmarket reviewers expect for your device.

Device risk class

Connectivity

PHI / sensitive data on device

Risk + connectivity + PHI sensitivity → a tiered cadence plan

• TierGauge infographic: A / B / C tier placement based on your inputs.
• Monitoring, patching, pen test, and FDA-reporting SLAs tuned to the tier.
• Reviewer-aligned cadence narrative you can drop into your postmarket plan.
• Tie-back to §524B postmarket obligations so audit trail is obvious.

What teams usually get wrong

• Myth: Annual pen testing is fine for any device.

  Reality: FDA expects pen test cadence to scale with risk and connectivity. Internet-connected Class II/III with PHI typically warrants every release plus a yearly external test - not just annual.

• Myth: 30-day FDA reporting only applies to recalls.

  Reality: Uncontrolled cybersecurity risk (CVSS-style or otherwise) can trigger a 30-day report under 21 CFR 806. The threshold is impact, not the word 'recall.'

• Myth: We monitor CVEs against our SBOM once a quarter.

  Reality: Reviewer expectation is continuous monitoring with documented triage SLAs. Quarterly cadence is a deficiency for any internet-connected device.

• Myth: Patch validation is the same for all devices.

  Reality: Closed-loop or life-supporting devices need bench + simulated-clinical validation per patch; lower-risk SaMD can use staged rollout with telemetry. The cadence tool tells you which lane you're in.

Primary sources behind this tool

1. Postmarket Management of Cybersecurity in Medical Devices (Dec 2016) - FDA
2. 21 CFR Part 806 - Reports of Corrections and Removals - U.S. Code of Federal Regulations
3. AAMI TIR97:2019 - Principles for Medical Device Security: Postmarket Risk Management - AAMI
4. CISA Known Exploited Vulnerabilities Catalog - CISA
5. FDA §524B Postmarket Obligations Summary - FDA

From cadence on paper to operating program.