Skip to main content
    MedTech Cyber Tips
    The Ultimate Guide
    All topics
    Postmarket · Incident

    Continuous Monitoring (GoatWatch)

    This guide provides actionable steps for medical device manufacturers to implement and maintain continuous cybersecurity monitoring throughout the device lifecycle, focusing on SBOM analysis and vulnerability management. It covers premarket preparation through postmarket surveillance and audit readiness.

    For: Medical device manufacturers, cybersecurity engineers, regulatory affairs professionals, and quality assurance teams. 2 min read Reviewed February 2026
    Postmarket vulnerability triage

    From CVE to defensible action

    Step 1
    New CVE
    NVD / CISA KEV / researcher tip
    Step 2
    SBOM match?
    Does any fielded device contain the component?
    Step 3
    Assess VEX status
    Affected · Not affected · Fixed · Under investigation
    Step 4
    Action
    CAPA · Advisory · Patch · No-op (with rationale)

    Every CVE deserves a recorded outcome — even "not affected" — to satisfy FDA postmarket expectations.

    6 structured tips

    The walk-through

    01
    Technical

    Establish Comprehensive SBOM Coverage

    Ensure complete mapping of your software supply chain by ingesting SPDX, CycloneDX, or custom SBOM formats. Generate an SBOM if one does not exist, and perform normalization and version resolution to clean raw SBOM data. Crucially, track firmware and embedded components frequently missed by generic scanners.

    02
    Process

    Implement Device-Context Vulnerability Triage

    Prioritize CVEs based on your device's specific architecture, factoring in network exposure, exploitability, and clinical risk, not just CVSS scores. Link cyber risk directly to potential patient harm as per ISO 14971, and track vendor advisories and End-of-Life (EOL) statuses.

    03
    Documentation

    Prepare for Audit and Regulatory Compliance

    Generate compliance artifacts and postmarket surveillance documentation aligned with FDA postmarket cybersecurity guidance (Section 524B), IEC 62304 / IEC 81001-5-1, and EU MDR/IVDR requirements. Maintain audit-ready vulnerability timelines, including triage decisions, remediation actions, and SBOM change history for exportable evidence packs.

    04
    Process

    Integrate Continuous Monitoring Throughout the Product Lifecycle

    Utilize continuous scanning of SBOM components against the NVD and vendor advisories for real-time CVE detection from premarket to postmarket. Set up prioritized alerts for new vulnerabilities and manage patches proactively to maintain continuous compliance.

    05
    Strategic

    Engage Expert-Led Cybersecurity Support

    Seek guidance from senior medical device cybersecurity experts for vulnerability reviews and to tune triage rules to your specific risk profile. This specialized expertise is crucial for navigating MedTech-specific challenges.

    06
    Process

    Streamline Onboarding and Integrate with QMS

    Aim for rapid onboarding to continuous monitoring systems (e.g., in 1-2 weeks) to avoid delays associated with typical enterprise platforms. Ensure that vulnerability timelines, triage decisions, remediation actions, and SBOM change history are integrated into your Quality Management System (QMS) for ongoing audit readiness.

    Common pitfalls

    • Relying solely on generic SBOM scanners or DIY tracking methods, which often miss critical firmware components and lack medical device-specific context for vulnerability triage.
    • Failing to link cybersecurity risk to patient safety (ISO 14971), leading to an incomplete assessment of real-world impact.
    • Experiencing alert fatigue due to an inability to prioritize vulnerabilities based on actual device architecture and clinical risk.
    • Not generating audit-ready evidence and documentation throughout the postmarket phase, which can lead to compliance issues with regulatory bodies like the FDA and EU notified bodies.
    • Underestimating the complexity of SBOM normalization and version resolution, leading to noisy and inaccurate vulnerability data.

    Your next steps

    1. 1Conduct a gap analysis of your current SBOM management and continuous monitoring capabilities against the recommended practices.
    2. 2Evaluate specialized solutions designed for medical device cybersecurity that offer device-context impact triage and regulatory alignment.
    3. 3Develop or refine internal processes for integrating real-time CVE detection and expert-led triage into your postmarket surveillance activities.
    4. 4Train internal teams on the importance of comprehensive SBOM coverage and the methodology for prioritizing vulnerabilities based on clinical and technical risk.

    Sources & references

    Authoritative guidance and standards underpinning this topic. Always confirm the latest revision with the publisher.

    Frequently asked questions

    Quick answers to the questions teams most often ask about this topic.

    Continuous monitoring is the ongoing process of watching newly disclosed vulnerabilities (CVEs) against your SBOM, prioritizing by exploitability and patient safety impact, and feeding the results into your postmarket vulnerability management process.

    Most medical device vulnerabilities originate in third-party or open-source components, not in your own code. Without continuous SBOM monitoring you will miss high-severity issues like Log4Shell or Ripple20 until customers, researchers, or regulators surface them.

    Medical devices cannot usually be patched on a normal IT cadence, run on long-lived embedded platforms, and have safety implications for every change. Monitoring must integrate with risk assessment and the change-control process, not just generate CVE lists.

    Continue by phase

    Jump to all guides for the lifecycle phase that fits where you are.