Cybersecurity
23 articles
EU AI Act + MDR Single Evidence Matrix: How to Build One Combined Technical File Without Duplicating Work
A field-by-field evidence matrix mapping MDR Annex II/III technical documentation, ISO 14971 risk management, PMS/PMCF, cybersecurity, data governance, human oversight, and QMS records to EU AI Act high-risk obligations — for manufacturers who must comply with both frameworks simultaneously.
FDA Cybersecurity Unresolved Anomalies Table: How to Document Vulnerabilities and Residual Risk in Premarketing Submissions
How to build the Unresolved Software Anomalies table for FDA premarket cybersecurity submissions — CVSS scoring, exploitability assessment, clinical impact analysis, compensating controls, SBOM linkage, VEX status, labeling language, release criteria, and common reviewer objections.
IEC 62304 Edition 2 (2026): Software Process Rigor Levels, AI/ML Provisions, and What Changes for Medical Device Manufacturers
A comprehensive guide to IEC 62304 Edition 2 — the 2026 update replacing safety classes A/B/C with rigor levels, expanding scope to all health software, adding AI/ML lifecycle requirements, integrating cybersecurity, and practical compliance timelines for medical device manufacturers.
QMSR Supplier Quality Agreement for Cloud, AI, Cybersecurity, and Testing Vendors: Clause-by-Clause Construction Guide
How to draft ISO 13485 / QMSR-compliant supplier quality agreements for critical outsourced vendors — cloud hosting providers, AI model/data vendors, penetration testing firms, ASCA/non-ASCA test labs, and sterilization vendors — with clause-by-clause guidance, vulnerability notification clauses, audit rights, CAPA cooperation, change notification, and evidence records.
SBOM-to-VEX Vulnerability Triage Workflow for Medical Devices: From CVE Intake to Field Action Decision
Operational playbook for medical device PSIRT teams — SBOM component matching, exploitability analysis, VEX justification authoring, PSIRT severity scoring, CAPA trigger thresholds, field safety corrective action decisions, and customer communication timing.
Special 510(k) for Software and Cybersecurity Changes: Decision Tree and Evidence Package
Decision tree for when a software or cybersecurity update can use Special 510(k) vs Traditional 510(k) — risk analysis, V&V summary, FDA guidance, and evidence package requirements.
FDA Cybersecurity Premarket Submission Deficiencies: 12 Common Rejection Reasons and How to Fix Them (2026)
Practical guide to the top 12 FDA cybersecurity deficiencies causing premarket submission holds in 2026 — SBOM gaps, threat modeling failures, risk assessment mistakes, and fixes aligned with the February 2026 final guidance and Section 524B.
Coordinated Vulnerability Disclosure for Medical Devices: Building a Post-Market Cybersecurity Program
Practical guide for building a coordinated vulnerability disclosure (CVD) program for medical devices — covering PSIRT setup, vulnerability intake and triage, CVSS scoring, SBOM linkage, field safety notices, FDA Section 524B requirements, EU expectations, and customer communication templates.
Direct-to-Consumer Genetic Tests: FDA, FTC, Privacy, Clinical Validity, and Claims Control
Regulatory, commercial, and privacy risk guide for direct-to-consumer (DTC) genetic testing companies — covering FDA oversight of DTC IVDs, wellness vs. medical claims boundaries, analytical and clinical validity requirements, risk report authorization, GINA and state privacy laws, FTC advertising substantiation, 23andMe bankruptcy data precedent, and practical guidance on claims that change regulatory status.
Medical Device Cybersecurity Penetration Testing & Vulnerability Assessment: FDA & EU MDR Requirements for 2026
FDA's February 2026 cybersecurity guidance and Section 524B of the FD&C Act make penetration testing, vulnerability scanning, and fuzz testing mandatory evidence for connected medical device submissions. This guide covers what testing is required, how to structure results, common FDA deficiencies, EU MDR cybersecurity expectations, and how to build a testing program that satisfies both regulatory frameworks.
Medical Device Third-Party Vendor Cybersecurity Risk Management: FDA Requirements, QMSR, and Compliance Guide
Complete guide to third-party vendor cybersecurity risk management for medical devices — FDA Section 524B, QMSR ISO 13485 alignment, SBOM requirements, vendor risk assessment frameworks, MITRE threat modeling, and implementation strategies for connected device manufacturers.
Medical Device Interoperability: HL7, FHIR, and Connected Device Standards in 2026
How HL7 FHIR, IEEE 11073, and DICOM standards enable medical device data interoperability — including the Caliper Accelerator, CMS mandates, FDA premarket expectations, and implementation guidance for manufacturers.
Privacy by Design for Medical Devices: A Practical Guide to Data Protection in Connected Healthcare
How to implement Privacy by Design principles in medical device development — covering GDPR, HIPAA, data minimization, consent management, anonymization, and the 2026 regulatory landscape for connected devices and wearables.
ISO 27001 for Medical Device Companies: Information Security Management Implementation Guide
How medical device companies can implement ISO 27001 for information security — ISMS requirements, certification cost and timeline, integration with ISO 13485 and FDA cybersecurity requirements, IEC 62443 comparison, and step-by-step implementation roadmap.
GDPR Compliance for Medical Device and IVD Companies: A Practical Guide to EU Data Protection in 2026
Complete guide to GDPR compliance for medical device and IVD manufacturers — special category health data, Data Protection Impact Assessments, DPO requirements, lawful bases for processing, cross-border transfers, and how GDPR intersects with EU MDR, IVDR, and the AI Act.
Internet of Medical Things (IoMT): Regulatory Compliance, Cybersecurity, and Market Access Guide
Complete guide to IoMT (Internet of Medical Things) regulatory requirements — FDA cybersecurity mandates for connected devices, SBOM requirements under Section 524B, EU MDR compliance for IoMT, market size, risk classification, and manufacturer obligations in 2026.
Wireless & RF Regulatory Compliance for Medical Devices: FCC, RED, and Global Requirements
A comprehensive guide to wireless and RF regulatory compliance for connected medical devices — FCC equipment authorization, EU Radio Equipment Directive (RED), wireless coexistence testing, cybersecurity requirements, risk management, and global market access strategies.
Cloud-Based Medical Devices & SaaS: Regulatory Compliance Guide (FDA, EU MDR 2026)
How cloud-based medical devices and SaaS health platforms are regulated in the US and EU — FDA and EU MDR classification of cloud-connected devices, SaMD vs SiMD distinction for cloud software, IEC 62304 Edition 2 lifecycle requirements, cybersecurity (SPDF, SBOM, IEC 81001-5-1), FDA CSA guidance for QMS cloud tools, EU Cyber Resilience Act impact, data integrity and validation challenges, and practical compliance strategies for manufacturers.
HIPAA Compliance for Medical Device Companies (2026 Security Rule Update)
Complete guide to HIPAA compliance for medical device manufacturers — when HIPAA applies to devices, the 2026 Security Rule NPRM changes (mandatory encryption, MFA, network segmentation, 24-hour incident notification), business associate agreements for IoMT, FDA cybersecurity overlap, risk assessment frameworks, and step-by-step compliance strategies for connected medical devices.
Mobile Medical Applications: FDA & EU MDR Regulatory Guide (2026)
Complete regulatory guide to mobile medical apps in 2026 — FDA Policy for Device Software Functions, when mobile apps are regulated as medical devices vs wellness products, the 2026 General Wellness and CDS guidance updates, EU MDR classification under Rule 11, mobile-specific cybersecurity and privacy requirements, app store compliance, and step-by-step classification strategies for mobile health developers.