Blog

Cybersecurity Field Notes for Medical Device Teams.

Get practical insights, compliance tips, and expert guidance tailored for QA/RA professionals tackling FDA, MDR, and global cybersecurity requirements.

FDA reviewers are now asking for VEX/VDR files with your SBOM

Recently a manufacturer received an AINN request asking for VEX and VDR data alongside their CycloneDX SBOM. This isn't in the premarket guidance, but you're almost certainly already doing the work. You just aren't packaging it in the format the FDA now wants.

Alan ParkinsonAlan Parkinson

The EU Cyber Resilience Act and medical devices: what's in scope and what isn't

The EU Cyber Resilience Act (CRA) excludes medical devices under MDR. But health apps, wellness products, and companion apps without medical device claims? They're in scope. If you're using the 'launch as wellness first' strategy, cybersecurity regulation still applies from December 2027

Alan ParkinsonAlan Parkinson

What is an SBOM? Think food labels, but for software

An SBOM (Software Bill of Materials) is essentially an ingredients list for software. Just like checking food labels for allergens, an SBOM lets you scan for known cybersecurity vulnerabilities in your product's third-party components.

Alan ParkinsonAlan Parkinson
RSS Feed

Blog posts

Alan ParkinsonAlan Parkinson

SBOM vs SOUP: what's the difference?

You've maintained a SOUP list under IEC 62304 for years, and now the FDA or a hospital customer wants an SBOM. Isn't that the same document with a new name? Not quite. One is a safety classification, the other is a machine-readable inventory, and each does something the other can't. Here's how they fit together, and why your SBOM is the easiest way to keep your SOUP records honest.

Alan ParkinsonAlan Parkinson

Is my device a cyber device? What the FDA guidance actually says

Is a medical device with a USB port really a "Cyber Device" and requires all the cybersecurity documentation in an eSTAR? We look at the guidance and some useful tips.

Alan ParkinsonAlan Parkinson

Won't an SBOM give away my IP?

It's one of the most common objections I hear from founders, and once you see what an SBOM actually contains, it's a much smaller worry than it first appears. Here's what it does and doesn't expose, why submitting it isn't the same as publishing it, and why the list of libraries you used was never the secret worth protecting

Alan ParkinsonAlan Parkinson

Is ISO 27001 enough for medical device cybersecurity?

Since the MDR came into force, ISO 27001 has become common advice for medical device manufacturers. It's a sensible place to start, but it isn't the standard your notified body is checking against. Here's how ISO 27001 and IEC 81001-5-1 fit together as two gates with shared evidence.

Alan ParkinsonAlan Parkinson

Using GitHub Dependabot for your eSTAR SBOM: a practical guide (and where it falls short)

Quick answer: You can export an SBOM from GitHub's dependency graph and use Dependabot alerts to flag known vulnerabilities. For repositories using supported package managers (npm, pip, Maven, NuGet), this gives you a reasonable starting point. But an SBOM export and a list of dismissed alerts is not what the FDA expects in your eSTAR cybersecurity section. The gaps are significant, and they tend to surface at exactly the wrong moment.

Newsletter

Never miss an insight.
Subscribe to The Detective’s Notebook.

Practical cybersecurity regulatory insights and guides for medical device teams. Free, no spam, unsubscribe anytime.