Choose another country to see content specific to your location

//Select Country

Medical Device Cybersecurity: Risk Assessment

Online, Instructor-Led Course

Course Description

Cybersecurity is becoming a more and more important topic for medical devices. Every manufacturer of medical devices has to implement some cybersecurity controls. There are regulatory mandates for medical devices security regarding FDA, HIPAA, and other regional regulations. General data protection laws have to be followed. These same cybersecurity controls have the potential to protect your assets and value to your organization.

TÜV SÜD has years of experience with the many different regulations, standards, guidance and frameworks for cybersecurity risk management as well as the various approaches for how medical device manufacturers have implemented those requirements.

This two-day online course, conducted by our experienced TÜV SÜD instructors, combines all the regulations and standards with a best practice guide on how to identify and control cybersecurity risks in all phases of the product life cycle.

Students will be equipped with the knowledge and skills needed to find vulnerabilities, assess threats, implement controls and cybersecurity risk management. This course is designed to help students navigate the multitude of regulations and standards around medical device cybersecurity and to develop a state-of-the-art cybersecurity risk management process.

Course Benefits

This course is intended to help you define and understand the value of implementing a cybersecurity risk management process.

Through examples and group work students will become familiar with threat modeling techniques, risk assessment, secure design principles, and documentation needs.

Who Will Benefit?

This course is designed for students who are involved in product design, requirements engineering, development, software coding, testing, quality management, safety risk management, and architecture design in the medical device industry.

Learning Objectives

  • Understand the relevant steps for a cybersecurity risk management process
  • Understand how to execute a cybersecurity risk management process
  • Understand how to document a cybersecurity risk management process and actions
  • Understand the relevant sources, techniques, guidance, and best practices related to cybersecurity risk management

Course Agenda

Security Risk Management

Introduction to Cybersecurity Risk Management

  • Regulatory requirements
  • Data protection laws
  • Standards
  • Guidance documents
  • Examples of cybersecurity incidents in medical devices

IT Security Basics and Definitions

  • Information Security vs. cyber security
  • Confidentiality, Integrity, Availability
  • Cryptography
  • Identification, Authentication, Authorization
  • Assets and protection goals
  • Vulnerabilities, Threats, Threat Actors

Legal Requirements and Guidelines for Medical Devices

Secure Development Lifecycle Process

  • Planning
  • Requirement Analysis
  • Design
  • Implementation
  • Testing
  • Release
  • Deployment
  • Maintenance
  • Decommissioning

Security Risk Management Process

  • Overlap and differences to safety risk management process
  • Elements of safety risk management

Best Practice Risk Modeling

  • STRIDE
  • Security risk assessment
  • Security risk control incl. Safety vs. Security and FMEA
  • Documentation strategy
  • Post market activities in the security risk process

A Notified Body’s Point of View

  • What is state of the art?
  • Upcoming standard 60601-4-5
  • How to balance workload / which topics to focus on
  • Risk-benefit analysis

Secure by Design

  • Defense in depth
  • External libraries/SOUP
  • Robustness
  • Secure code guidelines and best practices
  • Security testing
  • Automated test tools

Workshop

The complete 2nd day will be a guided group practice to conduct all steps of a full cybersecurity risk assessment for a real medical device.

  • System definition
  • STRIDE
  • Threat Modeling
  • Threat Review
  • CVE/NVD
  • Risk Assessment
  • Risk Control
  • Post market – vulnerability detection and response

Methodology

Virtual Classroom with an online exam.

Learning Assessments

Online Examination

Duration

2 Days

Timing

9:00 AM – 05:00 PM

Add to Cart

Next Steps

Select Your Location

Global

Americas

Asia

Europe

Middle East and Africa