Skip to content
Medical Device Cybersecurity: The Book by Christian Espinosa, cover

Coming 2026 · In progress

Medical Device Cybersecurity.

Navigating Premarket Submissions and Postmarket Surveillance

A complete, working playbook for the teams responsible for shipping safe, secure medical devices. Eleven chapters span the Total Product Lifecycle, aligned with FDA's Feb 2026 final premarket cybersecurity guidance, plus EU MDR, PMDA, and NMPA. Every chapter closes with useful tips, key terms, and a real case study from the field.

Get launch notificationRead excerptsBulk orders for teams
  • FDA 2026
  • EU MDR
  • PMDA
  • NMPA
  • AAMI SW96
  • ISO 14971
  • STRIDE
  • SBOM
  • SOUP

Chapter overview

Eleven chapters across the Total Product Lifecycle.

Written for the engineering, RA/QA, and product leaders who own the submission, the audit, and the postmarket response.

  • 01

    Regulatory Landscape

    FDA, EU MDR, PMDA (Japan), NMPA (China), TGA (Australia), plus NIST, AAMI, and IEC mapped to one program.

  • 02

    Risk Management & TPLC

    Building a cybersecurity risk management report that holds up across the Total Product Lifecycle, premarket through postmarket.

  • 03

    Secure Product Development (SPDF)

    FDA-aligned development, security architecture views, and design controls that actually clear submission.

  • 04

    Security Architecture Views

    Global system view, multi-patient harm view, updateability/patchability view, and interface views.

  • 05

    Interoperability

    Connected device communication, integration with hospital networks, and the security implications of HL7/FHIR.

  • 06

    STRIDE Threat Modeling

    Trust boundary analysis, entry point analysis, and threat scenario development with a worked STRIDE case study.

  • 07

    Third-Party Software & SOUP

    Managing components, Software of Unknown Provenance, and SBOMs with a SOUP case study in medical imaging.

  • 08

    Cybersecurity Testing

    Penetration testing, vulnerability scanning, fuzz testing, and software composition analysis for medical devices.

  • 09

    Cybersecurity Risk Assessment

    Structured risk assessment, scoring, mitigation, and the security risk management report FDA expects.

  • 10

    Postmarket Surveillance

    Vulnerability monitoring, coordinated disclosure, patch programs, and the postmarket cybersecurity management plan.

  • 11

    Case Studies

    Philips Tasy EMR (2018), SaMD 510(k), wearable health monitoring, and remote patient monitoring testing.

For teams shipping connected devices

Want the team trained on this now?

Work with Blue Goat Cyber ↗Book a workshopAll books