Postmarket
Operating the device safely in the field.
Topics for the postmarket phase
Overview
Start here. The big picture for MedTech security.
Pentesting
What's in scope (hardware, firmware, wireless, cloud, mobile), the methods reviewers expect, and how to read a pentest report against FDA cybersecurity guidance.
Postmarket
Stay compliant and secure after your device is on the market.
Monitoring
Continuous vulnerability monitoring for fielded devices.
AI/ML Devices
Adversarial ML, model integrity, PCCPs, and the security surface unique to learning-enabled devices.
Vuln Management
The end-to-end lifecycle: discovery, CVSS/rubric assessment, coordinated disclosure (CVD), and patch validation for fielded medical devices.
Checklists for postmarket and adjacent phases
Section-by-section checklist mirroring FDA's RTA cybersecurity items: security risk management, SBOM, threat model, testing evidence, labeling, and CVD policy.
What every cybersecurity reviewer (FDA or hospital) looks for in an SBOM: format, depth, signatures, hashes, supplier identification, and paired VEX statements.
A working PSIRT playbook: intake, triage with CVSS + clinical impact, communication, fix, regulatory reporting, and lessons-learned loop.