Skip to content
Cybersecurity

Why Postmarket Cybersecurity Is Where MedTech Actually Fails

April 8, 2026·3 min read

Most MedTech companies treat cybersecurity like a hurdle to clear at submission. Then the device ships, the team turns its attention to the next product, and the postmarket cybersecurity program quietly atrophies. Twelve to twenty-four months later, a CVE drops in a component nobody's tracking, a hospital network team finds it before you do, and your sales team is on a call explaining a vulnerability you didn't know you had.

The pattern is always the same

I have lost count of how many times this script has played out: the company gets clearance, the launch is celebrated, the cybersecurity team shrinks back to whoever was already there, and the cybersecurity management plan goes in a folder. Nine months later something happens — a researcher reports a vulnerability, a hospital IT team asks about an unpatched library, FDA sends a question — and there is no muscle memory for responding.

The problem is almost never technical. The problem is that no one is running the program.

What the working programs do

The companies whose postmarket cybersecurity actually holds up share a small set of unglamorous habits.

1. There is a named owner with calendar time. Not a job title, a calendar. Somebody whose week reliably contains hours dedicated to vulnerability monitoring, triage, and outbound communication. If the person responsible for postmarket cyber is also responsible for shipping the next product, postmarket loses every time.

2. The SBOM is alive. It is regenerated on every build. It is monitored against NVD plus at least one paid feed. New high-severity CVEs in components you ship produce a ticket within a defined SLA. The team can answer "are we exposed to X?" within hours, not weeks.

3. Coordinated disclosure is operationalized. There is a public security.txt or equivalent. Researchers know where to send findings. The first response is fast and human. The internal triage path is documented. Nothing kills a security researcher's goodwill faster than radio silence; nothing builds it faster than a thank-you note in 48 hours.

4. Patch logistics are designed, not improvised. Most postmarket failures look like engineering problems but are logistics problems. Who signs the update? Who notifies which hospitals? What is the validation regression? What is the fallback if a hospital declines the patch? The companies that ship patches reliably have answered these questions on a whiteboard before the first patch.

5. There is a postmarket cybersecurity review cadence. Quarterly is the minimum. The review covers open vulnerabilities, disclosure activity, patch status by deployment site, and any cross-cutting program changes. The artifact from that review is reportable to FDA on request.

Why this is actually a brand asset

MedTech buyers — hospital systems, integrators, MDMs — increasingly grade vendors on postmarket cybersecurity posture before procurement, not after. A company that can answer "what is your coordinated disclosure process?" with a confident, written answer wins deals against companies that cannot. A company that proactively notifies its customers of a patched CVE before anyone in the press finds it earns trust that is genuinely hard to buy.

The inverse is also true. A botched disclosure, a vulnerable component left unpatched, a sales rep on a call without a story — these become procurement disqualifiers, sometimes permanently.

What this costs to run well

Less than you think, if you scope it honestly. For a single connected device, a competent postmarket cybersecurity program is roughly 0.25–0.5 FTE of dedicated time, plus tooling, plus a relationship with an external responder for spikes. For a portfolio, it scales sublinearly because the process is the same — the watch list, the cadence, the disclosure intake.

It costs vastly more not to run it. The companies I have seen taken offline by a postmarket cybersecurity event paid the cost in delayed releases, lost deals, FDA scrutiny, and management distraction that ran into the millions.

The mindset shift

The shift that has to happen inside the company is treating postmarket cybersecurity as a product, not a project. Products have owners, roadmaps, metrics, and SLAs. Projects have end dates. Postmarket cybersecurity has no end date until the device is no longer in service.

Clearance gets you to launch. The next ten years of the device's life are the work you signed up for when you decided to ship a connected medical device. Run that program like the product it is, and your cybersecurity story becomes one of your most defensible competitive moats.

Sit with this

  • Who owns postmarket cybersecurity for your shipping devices today? Could they tell you their last triage decision and when it happened?
  • How would your team find out, on a Friday night, that a critical CVE was just published in a library you ship?
  • If a researcher emailed your security contact right now, where would the email go, and how long would it take to get a human reply?
Christian Espinosa, headshot

About the author

Christian Espinosa · Founding CEO, Blue Goat Cyber. Host of the Med Device Cyber Podcast.

Christian helps MedTech companies treat cybersecurity as patient safety rather than a compliance checkbox, from premarket submission through end of supported life.