Blog

Making Medical Device Cybersecurity Simple (Well, Simpler).

Get practical insights, compliance tips, and expert guidance tailored for QA/RA professionals tackling FDA, MDR, and global cybersecurity requirements.

RSS Feed

Wednesday, March 25, 2026

Alan Parkinson

Using GitHub Dependabot for your eSTAR SBOM: a practical guide (and where it falls short)

Quick answer: You can export an SBOM from GitHub's dependency graph and use Dependabot alerts to flag known vulnerabilities. For repositories using supported package managers (npm, pip, Maven, NuGet), this gives you a reasonable starting point. But an SBOM export and a list of dismissed alerts is not what the FDA expects in your eSTAR cybersecurity section. The gaps are significant, and they tend to surface at exactly the wrong moment.

Wednesday, February 18, 2026

Alan Parkinson

FDA reviewers are now asking for VEX/VDR files with your SBOM

Recently a manufacturer received an AINN request asking for VEX and VDR data alongside their CycloneDX SBOM. This isn't in the premarket guidance, but you're almost certainly already doing the work. You just aren't packaging it in the format the FDA now wants.

Monday, January 26, 2026

Alan Parkinson

UK medical device cybersecurity: where the rules stand (and don't)

The UK Medical Devices Regulations 2002 contain no explicit cybersecurity requirements. The word doesn't appear once. Yet new postmarket surveillance rules now require reporting security incidents within 15 days and treating security patches as Field Safety Corrective Actions. Where UK medical device cybersecurity stands in 2026, and where it doesn't.

Wednesday, December 17, 2025

Alan Parkinson

The EU Cyber Resilience Act and medical devices: what's in scope and what isn't

The EU Cyber Resilience Act (CRA) excludes medical devices under MDR. But health apps, wellness products, and companion apps without medical device claims? They're in scope. If you're using the 'launch as wellness first' strategy, cybersecurity regulation still applies from December 2027

Wednesday, August 6, 2025

Alan Parkinson

Illumina's £9.8M DoJ Settlement: A Cybersecurity Wake-Up Call for Medical Device Manufacturers

The first-of-its-kind cybersecurity settlement shows the DoJ is serious about backing up FDA requirements with real consequences. Here's what QA and RA teams need to know.

Newsletter

Never miss an insight.
Subscribe to The Detective’s Notebook.

Practical cybersecurity regulatory insights and guides for medical device teams. Free, no spam, unsubscribe anytime.

Blog posts

Using GitHub Dependabot for your eSTAR SBOM: a practical guide (and where it falls short)

FDA reviewers are now asking for VEX/VDR files with your SBOM

UK medical device cybersecurity: where the rules stand (and don't)

The EU Cyber Resilience Act and medical devices: what's in scope and what isn't

Illumina's £9.8M DoJ Settlement: A Cybersecurity Wake-Up Call for Medical Device Manufacturers

Never miss an insight.Subscribe to The Detective’s Notebook.

Never miss an insight.
Subscribe to The Detective’s Notebook.