Best Practice Medical Device Regulation (MDR) Cybersecurity Risk Management
 | Top-selling course |
This two-day course will provide you with key knowledge, to conduct efficient Cyber Security Risk Management under the new requirements of the Medical Device Regulation (MDR) and MDCG 2019-16, IEC 81001-5-1:2021 and IEC TR 60601-4-5:2021. This course will also integrate relevant elements of future harmonized standards. Through examples and group work you will gain in-depth knowledge on relevant threat modelling techniques, risk assessment strategies, secure design principles and documentation needs.
At the end of this training, participants will be able to:
- To efficiently conduct and document a Security Risk Assessment per MDR, MDCG 2019-16. IEC 81001-5-1:2021 and IEC TR 60601-4-5:2021
- To understand how to make medical devices safer with given resources
- To be able to confidently develop a process for security risk management
Important: To avoid conflicts of interest that could compromise the impartiality of the Notified Body, we only provide public trainings for MDR and IVDR topics. We do not offer private or in-house training for MDR and IVDR topics.
- Risk Managers, Risk Management Specialists, Quality Officers, Regulatory Affairs Officers
- Software Engineers, Software / Hardware Requirement Engineers, Verification and Validation specialist
- Product Designers
- Managers
This training is offered either as a 2-day course or as 4-half day training.
Day 1 (Full day or first 2 half-days)
- Introduction into Cybersecurity Risk Management
- IT security basics and definitions
- Legal requirements and guidelines for medical device security risk management
- Best practice approach
- A Notified Body's point of view
- Hands on Workshop with data flow diagrams, STRIDE, post market security risk management etc.
Day 2 (Second full day or last 2 half-days)
- Hands on Workshop with data flow diagrams, STRIDE, post market security risk management etc.
This instructor-led training provides a comprehensive and practical pathway to implementing cybersecurity risk management for medical devices under the MDR, with alignment to MDCG 2019‑16, IEC 81001‑5‑1:2021, and IEC TR 60601‑4‑5:2021. Designed for professionals with an intermediate-level understanding of cybersecurity, the course focuses on how to structure and document a robust security risk management process—covering threat modeling, risk assessment, secure design principles, and post‑market surveillance. While select examples may touch on safety, the course is explicitly cybersecurity‑focused and does not attempt to map every concept to traditional safety risk management.
Across two full days (or four half‑day sessions), participants will move from foundational definitions and regulatory expectations to hands‑on practice with data flow diagrams, STRIDE, and practical methods for identifying assets, threats, vulnerabilities, and mitigations. You’ll explore best practices from a Notified Body perspective, including how to demonstrate conformity, what effective documentation looks like, and how to avoid common pitfalls in submissions. Emphasis is placed on repeatable methods, clear justification of risk decisions, and traceability from threat identification through to residual risk and post‑market action.
Because this program targets intermediate practitioners, attendees should already be familiar with basic cybersecurity concepts (e.g., authentication, authorization, encryption, secure update, logging/monitoring). If you are new to the field, we recommend completing an introductory cybersecurity course before enrolling. The training is not a forum for resolving live, product‑specific issues; as a Notified Body, we must maintain impartiality and therefore do not provide device‑specific consulting or design advice within this course. Instead, we equip you with the frameworks, techniques, and evaluation criteria needed to make informed, compliant, and defensible decisions within your own organization.
By the end of the course, you will be able to conduct and document a security risk assessment aligned to MDR and relevant guidance, build or refine an organization‑appropriate security risk management process, and articulate the interaction between cybersecurity and safety—recognizing where their goals align and where their scopes differ. You will also gain insight into tooling options for modern threat modeling, approaches to post‑market cybersecurity, and practical ways to quantify security risks before and after mitigation.
- You learn the best practice approach for MDR Cybersecurity Risk Management.
- You get a thorough understanding of an effective Cybersecurity Risk Management process and its interaction with the classical Safety Risk Management process
- You will be able to identify all relevant assets, threats, vulnerabilities, and mitigation measures.
- You will be able to accurately quantify security risks prior and post mitigation
- You get background information on the relevant compulsory and voluntary guidelines international guidelines for medical device security management
- You get insight on the requirements of a Notified Body.
- You get information on computer tools supporting modern medical device threat modelling
- You get information on how to conduct cyber security post market assessments
Instructor-led training in a virtual classroom. This means the course is Live Online. Participants will learn through online teaching. Lectures, case studies, group exercises, discussions, problem solving, examples with explanation, assignments and/or quizzes happen in the virtual classroom training. Participants need to connect to the class from any internet accessible location. Each module is delivered live using webinar technology, creating a virtual classroom learning environment. Live sessions provide you with direct access to the trainer so you can ask questions, understand complex concepts and share ideas with peers. Webcam and microphone are REQUIRED to interact with the instructor and/or other participants.
The training program culminates in an online proctored exam in which you will need your webcam on.
The course content and structure are designed by the domain experts from TÜV SÜD. With immense experience and knowledge in the relevant standards, our team of product specialists and technical experts at TÜV SÜD, developed the course content based on current business landscape and market requirements.
Online Examination
Please bring a copy of the MDR with you to the course. A free copy can be downloaded from the EUR-Lex European Union law website.
Recommended prerequisite: Basic understanding of cybersecurity principles.
Important Note on Course Scope
This training is cybersecurity‑focused, not safety‑focused. While some examples may reference safety concepts, the course does not map every cybersecurity topic to safety risk management. Participants should be aware that the objective is to build competency in cybersecurity risk management as required under MDR—not safety engineering.
Additionally, this course is designed for participants with an intermediate level of cybersecurity knowledge. Individuals who are new to cybersecurity or lack foundational concepts are encouraged to complete an introductory cybersecurity course before enrolling.
This training does not provide product‑specific guidance or solutions for current device challenges. As a Notified Body, we must maintain impartiality and cannot advise on individual product issues. This expectation should be considered before registering.