Best Practice Medical Device Regulation (MDR) Cybersecurity Risk Management

• Risk Managers, Risk Management Specialists, Quality Officers, Regulatory Affairs Officers
• Software Engineers, Software / Hardware Requirement Engineers, Verification and Validation specialist
• Product Designers
• Managers

This training is offered either as a 2-day course or as 4-half day training.

Day 1 (Full day or first 2 half-days)

• Introduction into Cybersecurity Risk Management
• IT security basics and definitions
• Legal requirements and guidelines for medical device security risk management
• Best practice approach
• A Notified Body's point of view
• Hands on Workshop with data flow diagrams, STRIDE, post market security risk management etc.

Day 2 (Second full day or last 2 half-days)

• Hands on Workshop with data flow diagrams, STRIDE, post market security risk management etc.

This instructor-led training provides a comprehensive and practical pathway to implementing cybersecurity risk management for medical devices under the MDR, with alignment to MDCG 2019‑16, IEC 81001‑5‑1:2021, and IEC TR 60601‑4‑5:2021. Designed for professionals with an intermediate-level understanding of cybersecurity, the course focuses on how to structure and document a robust security risk management process—covering threat modeling, risk assessment, secure design principles, and post‑market surveillance. While select examples may touch on safety, the course is explicitly cybersecurity‑focused and does not attempt to map every concept to traditional safety risk management.

Across two full days (or four half‑day sessions), participants will move from foundational definitions and regulatory expectations to hands‑on practice with data flow diagrams, STRIDE, and practical methods for identifying assets, threats, vulnerabilities, and mitigations. You’ll explore best practices from a Notified Body perspective, including how to demonstrate conformity, what effective documentation looks like, and how to avoid common pitfalls in submissions. Emphasis is placed on repeatable methods, clear justification of risk decisions, and traceability from threat identification through to residual risk and post‑market action.

Because this program targets intermediate practitioners, attendees should already be familiar with basic cybersecurity concepts (e.g., authentication, authorization, encryption, secure update, logging/monitoring). If you are new to the field, we recommend completing an introductory cybersecurity course before enrolling. The training is not a forum for resolving live, product‑specific issues; as a Notified Body, we must maintain impartiality and therefore do not provide device‑specific consulting or design advice within this course. Instead, we equip you with the frameworks, techniques, and evaluation criteria needed to make informed, compliant, and defensible decisions within your own organization.

By the end of the course, you will be able to conduct and document a security risk assessment aligned to MDR and relevant guidance, build or refine an organization‑appropriate security risk management process, and articulate the interaction between cybersecurity and safety—recognizing where their goals align and where their scopes differ. You will also gain insight into tooling options for modern threat modeling, approaches to post‑market cybersecurity, and practical ways to quantify security risks before and after mitigation.

• You learn the best practice approach for MDR Cybersecurity Risk Management.
• You get a thorough understanding of an effective Cybersecurity Risk Management process and its interaction with the classical Safety Risk Management process
• You will be able to identify all relevant assets, threats, vulnerabilities, and mitigation measures.
• You will be able to accurately quantify security risks prior and post mitigation
• You get background information on the relevant compulsory and voluntary guidelines international guidelines for medical device security management
• You get insight on the requirements of a Notified Body.
• You get information on computer tools supporting modern medical device threat modelling
• You get information on how to conduct cyber security post market assessments

Instructor-led training in a virtual classroom. This means the course is Live Online. Participants will learn through online teaching. Lectures, case studies, group exercises, discussions, problem solving, examples with explanation, assignments and/or quizzes happen in the virtual classroom training. Participants need to connect to the class from any internet accessible location. Each module is delivered live using webinar technology, creating a virtual classroom learning environment. Live sessions provide you with direct access to the trainer so you can ask questions, understand complex concepts and share ideas with peers. Webcam and microphone are REQUIRED to interact with the instructor and/or other participants. The training program culminates in an online exam.

The course content and structure have been developed by TÜV SÜD domain experts. Drawing on extensive experience and in-depth knowledge of relevant standards, TÜV SÜD’s product specialists and technical experts have designed the program to align with current industry practices, business needs, and market requirements.

To support knowledge retention and verify competency, this training includes a structured assessment and certification process:

• Certificate of Attendance
  Participants who attend at least 90% of the total training duration will receive an official Certificate of Attendance.

• Final Online Examination
  The program concludes with an online exam designed to evaluate your understanding of MDR cybersecurity risk management principles.
  

• Exam Format

  • 15 multiple-choice questions
  • Open-book format (use of course materials and notes is permitted)
  • Individual effort required (no collaboration allowed)

• Passing Criteria
  A minimum score of 80% is required to pass.

• Attempts
  Participants are granted up to three attempts to successfully complete the exam.

• Certificate of Completion
  Upon passing the exam, you will be awarded the TÜV SÜD Academy Certificate of Completion, demonstrating your ability to apply cybersecurity risk management practices aligned with MDR expectations.

Please bring a copy of the MDR with you to the course. A free copy can be downloaded from the EUR-Lex European Union law website.

Recommended prerequisite: Basic understanding of cybersecurity principles.

Important Note on Course Scope

This training is cybersecurity‑focused, not safety‑focused. While some examples may reference safety concepts, the course does not map every cybersecurity topic to safety risk management. Participants should be aware that the objective is to build competency in cybersecurity risk management as required under MDR—not safety engineering.

Additionally, this course is designed for participants with an intermediate level of cybersecurity knowledge. Individuals who are new to cybersecurity or lack foundational concepts are encouraged to complete an introductory cybersecurity course before enrolling.

This training does not provide product‑specific guidance or solutions for current device challenges. As a Notified Body, we must maintain impartiality and cannot advise on individual product issues. This expectation should be considered before registering.

What is the main focus of this training?

This training focuses on cybersecurity risk management for medical devices under MDR, with a strong emphasis on practical implementation, including threat modelling, risk assessment, risk control, and post-market activities.

Which standards and regulations are covered?

The course aligns with key international requirements, including:

• MDR (EU Medical Device Regulation)
• MDCG 2019-16
• IEC 81001-5-1:2021
• ISO 14971:2019
• IEC TR 60601-4-5:2021

These represent the state-of-the-art expectations for cybersecurity compliance.

Is this training theoretical or practical?

It is highly practical and hands-on. Participants work through:

• System diagrams and data flows
• STRIDE threat modelling
• Risk assessment and heat maps
• Risk control selection and documentation
• Post-market vulnerability analysis

You will actively apply concepts to realistic scenarios, not just learn theory.

What is STRIDE and why is it important?

STRIDE is a structured threat modelling methodology covering:

• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege

It is widely used in the medical device industry because it is systematic, auditable, and easy to integrate into risk management processes.

Will I learn how to perform a complete cybersecurity risk assessment?

Yes. By the end of the course, you will be able to:

• Identify assets, threats, and vulnerabilities
• Evaluate risks using likelihood and severity models
• Apply quantitative methods like CVSS
• Define and justify risk acceptability and controls

How does cybersecurity relate to patient safety?

Cybersecurity risks can directly impact patient safety, for example through:

• Device malfunction or unavailability
• Manipulated therapy parameters
• Leakage of sensitive patient data

The course shows how security and safety intersect—and where they differ.

Do I need prior cybersecurity knowledge?

Yes. This training is designed for participants with basic to intermediate cybersecurity knowledge, including familiarity with concepts such as authentication, encryption, and secure communication.

Is this training suitable for beginners?

If you are completely new to cybersecurity, it is recommended to complete an introductory cybersecurity course first, as this course focuses on application and compliance rather than fundamentals.

Will product-specific challenges be addressed?

No. As a Notified Body training, this course:

• Does not provide device-specific consulting
• Focuses instead on frameworks, methods, and best practices

What industries or roles benefit most from this course?

This training is ideal for:

• Risk Managers / Quality Engineers
• Regulatory Affairs professionals
• Software / Systems Engineers
• Product designers and developers

Why is cybersecurity critical for medical devices today?

Real-world incidents show that cybersecurity failures can lead to:

• Patient harm
• Regulatory rejection
• Financial and reputational damage

Regulators now require robust, auditable cybersecurity risk management as part of market approval.

Train with Industry Experts

Learn from specialist instructors at TÜV SÜD Academy—recognized leaders with deep expertise in their fields. For over 35 years, our global network of 2,500+ trainers has delivered practical, real-world knowledge that you can apply immediately.

Our courses are continuously updated to reflect the latest regulatory changes and industry best practices, ensuring you gain relevant, up-to-date skills with every session.