Explore the most recent editions of MPO Magazine, featuring expert commentary, industry trends, and breakthrough technologies.
Access the full digital version of MPO Magazine anytime, anywhere, with interactive content and enhanced features.
Join our community of medical device professionals. Subscribe to MPO Magazine for the latest news and updates delivered straight to your mailbox.
Explore the transformative impact of additive manufacturing on medical devices, including design flexibility and materials.
Learn about outsourcing options in the medical device sector, focusing on quality, compliance, and operational excellence.
Stay updated on the latest electronic components and technologies driving innovation in medical devices.
Discover precision machining and laser processing solutions that enhance the quality and performance of medical devices.
Explore the latest materials and their applications in medical devices, focusing on performance, biocompatibility, and regulatory compliance.
Learn about advanced molding techniques for producing high-quality, complex medical device components.
Stay informed on best practices for packaging and sterilization methods that ensure product safety and compliance.
Explore the latest trends in research and development, as well as design innovations that drive the medical device industry forward.
Discover the role of software and IT solutions in enhancing the design, functionality, and security of medical devices.
Learn about the essential testing methods and standards that ensure the safety and effectiveness of medical devices.
Stay updated on innovations in tubing and extrusion processes for medical applications, focusing on precision and reliability.
Stay ahead with real-time updates on critical news affecting the medical device industry.
Access unique content and insights not available in the print edition of the MPO Magazine.
Explore feature articles that delve into specific topics within the medical device industry, providing in-depth analysis and insights.
Gain perspective from industry experts through regular columns addressing key challenges and innovations in medical devices.
Read the editor’s thoughts on the current state of the medical device industry.
Discover the leading companies in the medical device sector, showcasing their innovations and contributions to the industry.
Explore detailed profiles of medical device contract manufacturing and service provider companies, highlighting their capabilities and offerings.
Learn about the capabilities of medical device contract manufacturing and service provider companies, showcasing their expertise and resources.
Watch informative videos featuring industry leaders discussing trends, technologies, and insights in medical devices.
Short, engaging videos providing quick insights and updates on key topics within the medical device industry.
Tune in to discussions with industry experts sharing their insights on trends, challenges, and innovations in the medical device sector.
Participate in informative webinars led by industry experts, covering various topics relevant to the medical device sector.
Stay informed on the latest press releases and announcements from leading companies in the medical device manufacturing industry.
Access comprehensive eBooks covering a range of topics on medical device manufacturing, design, and innovation.
Highlighting the innovators and entrepreneurs who are shaping the future of medical technology.
Explore sponsored articles and insights from leading companies in the medical device manufacturing sector.
Read in-depth whitepapers that explore key issues, trends, and research findings for the medical device industry.
Discover major industry events, trade shows, and conferences focused on medical devices and technology.
Get real-time updates and insights live from the CompaMed/Medica conference floor.
Join discussions and networking opportunities at the MPO Medtech Forum, focusing on the latest trends and challenges in the industry.
Attend the MPO Summit for insights and strategies from industry leaders shaping the future of medical devices.
Participate in the ODT Forum, focusing on orthopedic device trends and innovations.
Discover advertising opportunities with MPO to reach a targeted audience of medical device professionals.
Review our editorial guidelines for submissions and contributions to MPO.
Read about our commitment to protecting your privacy and personal information.
Familiarize yourself with the terms and conditions governing the use of MPOmag.com.
What are you searching for?
A list of the details FDA has disclosed for the last two years (the list hasn’t changed) of the most frequent errors made in cybersecurity during a submission.
March 2, 2026
By: Christopher Gates
Founder & CEO
It’s been 12 years since FDA started regulating cybersecurity in medical devices, and three years since Congress provided the agency the legal mandate to define and enforce cybersecurity in medical devices.
What does this mean for those of you working on the latest device?
First, I suspect you have a tight schedule, maintaining commitments to investors, and are light on funding. In addition, you have absolutely no knowledge of what “medical device cybersecurity” means to FDA (and the understanding you do have is sketchy at best).
Over the last few years, FDA has streamlined its process to facilitate premarket reviews. Part of that involves the use of an electronic submission approach called eSTAR.1 While this system offers some flexibility for other artifacts related to the approval of a premarket submission (e.g., hazard analysis, biocompatibility, etc.), FDA is extremely prescriptive in what it expects regarding cybersecurity.
According to the agency, “If your medical device contains software, you need to provide all of the FDA-mandated cybersecurity documents.” While this statement has been repeated by regulators and security experts for years, I still need to repeat it on a weekly basis. Device makers insist, “This doesn’t apply to my medical device,” and offer an array of accompanying justifications for their position.
Notice FDA’s statement presents no modifiers that might address patient risk, communication mediums, size of company, day of the week, or any other excuse a device maker may come up with.
What are these documents/artifacts mandated by FDA? The agency makes you work for this list; it certainly doesn’t convey it in its premarket cybersecurity guidance.2 However, the list can be assembled by reviewing eSTAR itself. Further, since eSTAR gets modified, there are different versions (currently, we are at V6) and the quantity, type, and contents of these artifacts change across these versions.
The list of artifacts as of the current version of eSTAR includes:
Additionally, use the eSTAR help dialogs (click on the “?”) to determine what the minimum content should be for each document.
This represents the starting point for cybersecurity documentation in your submission. Beyond that, things can still go wrong. There are several best practices to use with these documents.
Following is a list of the details FDA has been disclosing for the last two years (the list hasn’t changed) of the most frequent errors made in cybersecurity during a submission. I arranged these in a Top 10 order to represent my own observations as the most common mistakes. However, to be clear, all of these should be addressed in a submission regardless of the order.
A few years ago, this was a valid approach to avoiding FDA’s security requirements. In addition, I agree that without any form of communication functionality (e.g., Ethernet, Wi-Fi, USB, Bluetooth, serial, I2C, SPI, CAN, cellular baseband, LORA, satellite, IEEE 802.15, proprietary wireless, etc.), there isn’t an attack surface that can affect a large set of victims. However, FDA realized scoping this to only include devices with communication present was forcing manufacturers to remove communications from the device, and thus reduce the added features and functionality gained by supporting connectivity.
A common misconception is that by modifying your product it avoids being classed as a “cyber device” (as defined in the FD&C Act section 524b). Since FDA has interpreted the law in a stricter sense, you can safely ignore what 524b says, as FDA has included any 524b topics plus additional topics in its premarket cybersecurity guidance. That is what’s required to be satisfied to secure FDA approval.
The first person at FDA to view your submission is not the reviewer, but a person conducting a “technical review.” This individual is tasked with verifying all required documents are present and appear similar to the expected content. Failing this technical review results in a submission being rejected before it even reaches a reviewer.
Put yourself in the position of the reviewer; you have a limited amount of time to evaluate a cybersecurity submission. The author of the documents has mixed up all the contents, has not supplied part of what is required, and made references to documentation not included in the submission (including completely out of context tables and a plethora of references to other documents). What reaction other than frustration is the reviewer likely to experience? This is not the first impression you want to make. The goal should be to demonstrate expertise in cybersecurity, not frustrate the reviewer.
Set some ground rules for all testing, including work performed by anythird parties.
The premarket cybersecurity guidance goes into significant detail regarding the security testing needed to be performed. Once again, these are not optional.
As a simple checklist:
Nessus is a great tool, but it is just one step in penetration testing. Using a vulnerability scanner would be part of the research phase of penetration testing, not the entire process.
Penetration testing is a process that simulates a hacker attempting to get into a medical device system through research, physical means, and the exploitation of vulnerabilities. Penetration testers are paid to search for weaknesses and then try to prove they can be exploited, using an extensive variety of tools and methods.
The premarket cybersecurity guidance2 said it best:
Manually creating and updating tracing is extremely laborious and costly, and should be avoided if at all possible. Traceability is not unique to cybersecurity issues and needs to be performed across most of the artifacts in the premarket submission.
However, Word and Excel, out of the box, do not offer a good way of providing this type of tracing, and there is only one vendor I know of that has an add-in to support tracing.4 I am unaware of any open-source add-ins that can perform tracing.
Where possible, I suggest using a dedicated tool for document management, such as Requirement Managers, ALM, PLM, etc.
Appendix 1 of FDA’s premarket cybersecurity guidance provides a list of security mitigations and recommendations for the use of cryptographically strong controls to achieve them. One hard and fast rule is not to try to create your own mitigations; these are always impossible to justify and very difficult to prove their effectiveness.
Do not use likelihood or probability in any of the security scoring rubrics. The premarket cybersecurity guidance is clear on this point. FDA has also expressed this in many presentations.
“Accordingly, cybersecurity risks are difficult to predict, meaning that it is not possible to assess and quantify the likelihood of an incident occurring based on historical data or modeling (also known as a ‘probabilistic manner’).”
Don’t not use them in any manner, such as probability of occurrence or probability of harm, as utilized in “safety” scoring rubrics.
This is very similar to number 4, but it can manifest itself in a different manner, where attempts at weak justifications are utilized in place of cryptographic solutions. For example:
The solutions are the same as for number 4—use strong cryptographic primitives.
A machine-readable SBOM is not an Excel spreadsheet. Neither is a CSV nor a flat text file. Rather, a machine-readable SBOM is a file formatted in compliance with one of the two standards (CycloneDX or SPDX), usually expressed as a JSON file.
Refer to NTIA’s “The Minimum Elements For a Software Bill of Materials” standard to gain clarity on what content is required to be in the SBOM.5 Also, leverage free and open-source tools such as sbomqs (to evaluate the completeness of your SBOM)6 and parlay (to improve any missing content in your SBOM)7.
References1 tinyurl.com/mpo2603812 tinyurl.com/mpo2603823 tinyurl.com/mpo2603834 tinyurl.com/mpo2603845 tinyurl.com/mpo2603856 tinyurl.com/mpo260386
7 tinyurl.com/mpo260387
Christopher Gates is the founder and CEO of arsMedSecurity, a medtech cybersecurity consulting firm. He is a recognized thought leader in medical device cybersecurity and the current co-chair for H-ISAC’s MDSC. Gates has more than 50 years of experience developing and securing medical devices and works with numerous industry-leading device manufacturers. He frequently collaborates with regulatory and standard bodies, including the CSIA, Health Sector Coordinating Council, H-ISAC, and Bluetooth SIG.
Enter the destination URL
Or link to existing content
Enter your account email.
A verification code was sent to your email, Enter the 6-digit code sent to your mail.
Didn't get the code? Check your spam folder or resend code
Set a new password for signing in and accessing your data.
Your Password has been Updated !
