Medical Device Cybersecurity & eSTAR Support

Cy-Hive helps medical device manufacturers build, test, and document cybersecurity controls that align with FDA expectations and fit seamlessly into eSTAR submissions—so your team can move faster without sacrificing safety or compliance.

Book a Discovery Call

Why Cybersecurity & eSTAR Are Non-Negotiable for Medical Devices

  • FDA requires cybersecurity evidence in premarket submissions
  • eSTAR is now required for 510(k) + De Novo
  • SBOMs and secure SDLC expectations
  • Testing + documentation must be aligned and consistent

The FDA now treats cybersecurity as a core part of medical device safety and effectiveness—not an optional add-on. The 2025 guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions lays out detailed expectations for secure product development, security risk management, SBOMs, and cybersecurity testing across the device’s total product life cycle. U.S. Food and Drug Administration+1

At the same time, electronic submissions using the eSTAR template are now required for all 510(k) and De Novo medical device submissions (with limited exemptions), and voluntary for several other submission types. eSTAR is an interactive PDF that structures your submission, builds in required FDA forms, and removes the Refuse to Accept (RTA) step—if it’s completed correctly. U.S. Food and Drug Administration+1

For busy engineering, quality, and regulatory teams, this creates a practical challenge:

  • You must design and test cybersecurity controls that stand up to FDA scrutiny.

  • You must provide structured documentation mapped to both the cybersecurity guidance and the eSTAR template.

  • You must plan for postmarket cybersecurity—patches, coordinated vulnerability disclosure, and ongoing risk management. U.S. Food and Drug Administration

Cy-Hive exists to make that work simpler, clearer, and more predictable.

Cybersecurity Gap Assessment

Map your current design, software, and network architecture against the latest FDA cybersecurity guidance for medical devices. Identify gaps in secure product development practices, security objectives (authenticity, authorization, availability, confidentiality, updateability), and quality system alignment.

Security Risk Management & Threat Modeling Support

Facilitate threat modeling and security risk assessments that align with FDA expectations and AAMI TIR57-style security risk reports. Help distinguish safety vs. security risks and link back into your ISO 14971 risk management process.

Cybersecurity Testing & Evidence Generation

Depending on your device type and architecture, we can support or help coordinate: Security requirements testing (e.g., auth, access control, logging, encryption) Threat mitigation testing (e.g., abuse cases, threat scenarios) Vulnerability scanning and configuration review Penetration testing against devices, companion apps, APIs, and cloud components

SBOM & Third-Party Software Review

Support creation or review of machine-readable SBOMs for cyber devices, including third-party and open-source components. Assist with vulnerability assessment workflows using NVD, CISA KEV catalogs, and vendor alerts.

Documentation Tailored to eSTAR & Cybersecurity Guidance

Organize your cybersecurity documentation so it aligns with the FDA cybersecurity guidance sections and the relevant eSTAR modules, making it easier for reviewers to follow your logic.

Phase 1 – Discovery & Architecture Review
  • Device + system boundary definition (device, apps, cloud, interfaces)
  • Data flows, threat surfaces, and basic asset inventory
  • Review of existing design controls, QMS artifacts, and software documentation
Deliverables:
  • High-level architecture views (aligned with FDA expectations for security architecture documentation)
  • Initial gap analysis vs. FDA cybersecurity guidance
Phase 2 -Security Risk Management & SBOM Support
  • Facilitate threat modeling workshop(s) with your engineering and QA teams
  • Develop or refine your security risk management report (distinct but linked to safety risk management)
  • Support SBOM creation, structure, and vulnerability review process
Deliverables:
  • Security Risk Management Report draft
  • Draft SBOM and vulnerability tracking approach
  • Recommendations for security controls by risk levle

 

Phase 3 – Cybersecurity Testing & Evidence
  • Security requirements and threat mitigation testing
  • Vulnerability scanning and targeted penetration testing 
  • Test cases linked back to requirements and risks
Deliverables:
  • Cybersecurity test plans and protocols
  • Test reports with findings, remediation recommendations, and residual risk rationale
Phase 4 – Submission-Ready Documentation (eSTAR-Aligned)
  • Organize all cybersecurity artifacts into a structure that corresponds to:
    • Cybersecurity design & controls
    • Security risk management
    • Cybersecurity testing
    • SBOM and third-party components
    • Cybersecurity management plan/postmarket strategy
  • Ensure the content is easy to plug into the relevant eSTAR sections (or attached as referenced documents).
Deliverables:
  • Cybersecurity Documentation Package (for 510(k), De Novo, or other submissions)
  • eSTAR insertion guide (where each document fits in the template)

eSTAR-Focused Support

The FDA’s eSTAR template is now the required format for all 510(k) and De Novo submissions (unless specifically exempted), and voluntary for several other premarket pathways.

We help your team:

Understand which eSTAR sections expect cybersecurity-related content and attachments.

Map your cybersecurity documentation and SBOM into the right places to avoid technical screening holds.

Make sure your answers in the template are consistent with the attachments and underlying testing—reducing the risk of early holds or extensive “Additional Information” rounds.

If you already have an eSTAR in progress, we can plug into your existing process. If you’re starting from scratch, we can collaborate with your regulatory consultants or in-house RA/QA team.

How We Work With Your Team

Professional woman in wheelchair working remotely on laptop and phone in a modern office.
Intro Call (30-45 Minutes)

Clarify device type, submission pathway (510(k), De Nevo, etc.), timelines, and existing cybersecurity work.

A man smiling while working at an office desk with a computer and natural daylight streaming in through large windows.
Scoping & Proposal

Define which phases you need (e.g., full package vs. testing only vs. documentation review)

Agree on timelines and deliverables that match your submission date

network, server, system, infrastructure, managed services, connection, computer, cloud, gray computer, gray laptop, network, network, server, server, server, server, server
Execution & Working Sessions

Blend asynchronous document review with focused working sessions (threat modeling, architecture, SBOM review)

Deliver clear, review-ready outputs that your team can plug into QMS and regulatory workflows

Who This Is For

  • Manufacturers of networked medical devices with embedded software

  • SaMD (Software as a Medical Device) teams and digital therapeutics

  • Devices with cloud dashboards, mobile apps, or remote connectivity

  • Startups preparing for their first 510(k) or De Novo submission

  • Established manufacturers are updating legacy devices to meet new cybersecurity expectations

Case Examples

  • A connected diagnostic device preparing for a first 510(k) under eSTAR

  • A digital health platform needing SBOM and security testing evidence for De Novo

  • A manufacturer refreshing cybersecurity documentation for a new generation of an existing device

.

FAQ

Q1. Can Cy-Hive guarantee FDA clearance or approval?
Yes. No third party can guarantee a regulatory outcome. But we resubmit until accepted. Our role is to align your cybersecurity design, testing, and documentation with current FDA expectations and to help you present that information clearly within eSTAR.

Q2. Do you work with devices still early in development?
Yes. In fact, integrating cybersecurity as part of your secure product development framework and quality system early usually leads to fewer headaches during submission and postmarket.

Q3. Can you help us after our device is on the market?
Yes. We can support postmarket cybersecurity strategies, including vulnerability monitoring workflows, patch management plans, and coordinated vulnerability disclosure processes that align with FDA guidance.

Q4. How is this different from a generic penetration test?
Generic pen tests often focus only on “can we break in?” Cy-Hive’s work connects the dots between:

  • Secure design and QMS controls

  • Security risk management and threat modeling

  • Testing evidence

  • FDA cybersecurity guidance and eSTAR documentation structure

Q5. Do you only work with U.S. submissions?
Our focus is on FDA expectations (e.g., eSTAR, U.S. premarket guidance). Many principles overlap with international expectations (e.g., IMDRF guidance), but we always recommend coordinating with your regulatory team for global strategy.

Schedule a Call
Schedule a Call