CMDC Short Courses

Introduction to Medical Device Cybersecurity

MD Cybersecurity

The Center for Medical Device Cybersecurity (CMDC) at the University of Minnesota invites you to participate in its short course offering: Introduction to Medical Device Cybersecurity.  

As the complexity and demand for medical devices grow, never has the need to protect them from evolving threats been so great. This course is designed to prepare early career professionals working in Medical Device Manufacturing and Healthcare with an understanding of how to meet the safety and security expectations of the patients, healthcare providers, and healthcare organizations that use devices.


Expand all

When will this course be held?

This online course will be held over four weeks, twice a week on Tuesday and Thursday mornings from 9-11 a.m. CT from May 17 through June 9, 2022.

Who is this course designed for?

  • Professionals involved in the development of medical devices, including software, hardware and network connectivity.
  • Early career engineering professionals involved in medical device development/commercialization
  • Quality and regulatory professionals
  • Product security professionals 
  • Healthcare clinical security professionals
  • Others in healthcare organizations

What knowledge and skills will attendees gain?

Attendees will:
  • Gain an understanding of the unique risks associated with security in a clinical environment. 
  • Learn how to identify threats and attack vectors in the clinical environment and how these differ from other environments.
  • Discover how devices deployed in a network environment operate, including device identification and authentication, data transmission, data storage, and how they can provide access to the local area network to which they are connected.
  • Acquire an understanding of the regulatory requirements they will have to meet in the US and EU, and where organizational policies and standards fit in for security as well as organizational objectives and strategy.

What is the cost to attend?

The costs listed below are per individual to attend the short course:

  • CMDC members get two free attendees and then a reduced cost of $800/per person thereafter. 
  • For non-CMDC members, the cost is $950/person. 

Who are the instructors?

Aerts_Headshot (2022)

Bill Aerts is the managing director of the Center for Medical Device Cybersecurity and acting executive director of the Archimedes Center for Healthcare and Medical Device Security at the University of Michigan. He has more than 30-years of security experience, previously serving as the director of product security within Medtronic’s Global Security Office. He helped to build Medtronic’s original Information Security Program and has created and championed information and product security programs in the insurance, transportation, retail and healthcare industries. He’s also served in various consulting roles and as an adjunct professor in the Carlson School of Management at the University of Minnesota.


Ken Hoyme

Ken Hoyme is senior fellow, global product cybersecurity at Boston Scientific. He has over 35 years’ experience in the design of regulated safety-critical secure systems.  At Boston Scientific, he drives processes and practices for pre- and post-market cybersecurity risk management across the company’s products and services. Hoyme is co-chair of H-ISAC’s Medical Device Security Information Sharing Council (MDSISC) and past co-chair of AAMI’s Device Security Working Group and a member of AAMI’s BI&T Editorial Board.  Previously he was at Adventium Labs performing government funded research on the intersection of safety and security for cyber-physical systems.  Prior to that, he was a Senior Fellow at Boston Scientific where he was the systems lead for the development of the LATITUDE Remote Patient Management system. He also spent 18 years as a senior fellow at Honeywell’s Corporate Research lab. He was awarded Honeywell’s highest technical recognition for his work on the Boeing 777.  Ken has been granted 40 US and 9 International patents.  

Event chair, Dan Lyon

Dan Lyon is an accomplished leader and engineer specialized in the security of medical devices with expertise in regulated medical devices, product security initiatives, and security/ software/ system engineering.  He has worked in medical devices as both an engineer (17 years at Medtronic) and as a consultant (7 years at Cigital/Synopsys).  He has worked with global medical device manufacturers to establish and mature Product Security Initiatives by creating security cultures, developing new processes, and training engineers.  He has performed product security risk assessments and design reviews for numerous medical device systems, including implanted devices, infusion pumps, surgical products, patient monitors, mobile devices, mobile applications, web applications, and cloud services.

Andy Ulvenes

Andy Ulvenes has over 20 years of experience in medical device management.  He spent over 11 years at GE Healthcare delivering medical device services and solutions to healthcare organizations.  In 2012 he joined Kaiser Permanente where he was responsible for the lifecycle of medical devices (procurement through decommissioning).  In the last 5 years at Kasier, Andy expanded his responsibility to OT Cybersecurity where he built and led a KP Board approved program to build cyber capabilities for the Operational Technology (OT) devices. He is a member of the American Association of Medical Instrumentation, where he serves on the HTLC (Healthcare Technology Leadership Committee.  He is also a Fellow of the American College of Healthcare Executives (FACHE) and the California Association of Healthcare Leaders (CAHL).

Course Modules

Introduction to Medical Device Cybersecurity will consist of four modules. Each module will be broken down into two two-hour sessions, for a total of 16 learning hours. 

  1. Module 1: Cybersecurity in Healthcare  In this module, the current risk and unique threat landscape for healthcare and medical devices will be explored. Students will learn the challenges of providing optimal care while maintaining safety and compliance and the vital role that device security plays in doing so.  The challenge will be explained both from a medical device manufacturer and a healthcare provider's view. Security by Design will be introduced and the unique role of product development professionals in meeting the expectations of key stakeholders.
  2. Module 2: Security Activities During the Product Lifecycle
    The integration of security into the Total Product Life Cycle will be explained and how to align product design, development, and testing (V&V) to meet critical security requirements.  The module begins with a risk management overview, and then continues with pre-market lifecycle activities and post-market lifecycle activities that ensure security is integrated into product development and use.  Each part of the lifecycle will be broken down into phases, with practical explanations and examples.
  3. Module 3: Device Security Regulations and Standards, and Cybersecurity Threats from a Healthcare Perspective
    This module will begin with a session that provides an overview of key regulations from the FDA and OUS governments.  Three key Guidance Documents from the FDA will be reviewed and explained.  Then a summary of key industry standards relating to device security will be explained along with how they are used.  Next, a session on cybersecurity risk at a healthcare delivery organization and putting medical device security in context.  The session will begin with addressing HDO enterprise security risk.  A good understanding of the challenge from an HDO view will be provided. 
  4. Module 4: Health Delivery Organization Cybersecurity Risk, and Individual Engagement in the industry. 
    In the final module, attendees will learn more about enterprise cybersecurity risk management from an HDO view.  What makes for good cybersecurity between and HDO and a device manufacturer will be explained. From a supply chain point of view, how to operationalize cybersecurity contracts will also be covered. In the last session, noteworthy organizations and groups focused on Medica Device security and how to get engaged with them will be discussed.

 Space is limited

Registration is limited to 40 people to ensure a more intimate experience. Register in order to secure your spot.

*Reservations for this event is closed.