Medical Device Cybersecurity Short Courses
Introduction to Medical Device Cybersecurity
The Center for Medical Device Cybersecurity (CMDC) at the University of Minnesota invites you to participate in its short course offering: Introduction to Medical Device Cybersecurity.
As the complexity and demand for medical devices grow, never has the need to protect them from evolving threats been so great. This course is designed to prepare early career professionals working in Medical Device Manufacturing and Healthcare with an understanding of how to meet the safety and security expectations of the patients, healthcare providers, and healthcare organizations that use devices.
When will this course be held?
This online course will be held over four weeks, twice a week on Tuesday and Thursday mornings from 9-11 a.m. CT from May 17 through June 9, 2022.
Who is this course designed for?
Positions that will benefit from this course include:
- Entry-level professionals involved in the development of medical devices, including software, hardware and network connectivity.
- Early career engineering professionals involved in medical device development/commercialization
- Quality and regulatory professionals
- Product security professionals (R&D/IT/Quality)
- Clinical security professionals
Others in healthcare organizations
What knowledge and skills will attendees gain?
- Gain an understanding of the unique risks associated with security in a clinical environment.
- Learn how to identify threats and attack vectors in the clinical environment and how these differ from other environments.
- Discover how devices deployed in a network environment operate, including device identification and authentication, data transmission, data storage, and how they can provide access to the local area network to which they are connected.
- Acquire an understanding of the regulatory requirements they will have to meet in the US and EU, and where organizational policies and standards fit in for security as well as organizational objectives and strategy.
What is the cost to attend?
The costs listed below are per individual to attend the short course and are based on your CMDC affiliation and date you register by.
Two free attendees and then a reduced cost of $800/per person thereafter.
Early bird registration:
For those registered by August 14, 2021 the cost is $900/person. Discount will be available at checkout. No discount code is needed.
For non-CMDC members who register August 15, 2021 or beyond, the cost is $950/person.
Who are the instructors?
Mike Johnson is the Honeywell/James J. Renier Chair in Security Technologies and the director of graduate studies for the Master of Science in Security Technologies degree program at the Technological Leadership Institute (TLI) at the University of Minnesota. He also develops, teaches and administers graduate level courses in security technologies innovation, management and leadership, as well as participates in the development and delivery of customized short courses and professional development programs in response to industry needs. He brings more than 25 years of professional experience in security risk management, formerly serving as CISO and Operations Risk Director at Bremer Bank, and has gained broad skills in the areas of IT and information security risk management in a heavily regulated industry.
Daniel Mooradian is the Honeywell/James J. Renier Chair in Technology Management and director of graduate studies for the Master of Science in Medical Device Innovation degree program at TLI, where he leads partnerships and course offerings for students in the medical device industry. Mooradian is seasoned leader of medical device product development with VP and C-suite level experience. He is the founder and president of The Simpatico Group LLC, chief science officer at Innova Medical Design, chief science officer at Novum Therapeutics.
Bill Aerts is the founder and executive director of the Archimedes Center for Healthcare and Medical Device Security at the University of Michigan. He has more than 30-years of security experience, previously serving as the director of product security within Medtronic’s Global Security Office. He helped to build Medtronic’s original Information Security Program and has created and championed information and product security programs in the insurance, transportation, retail and healthcare industries. He’s also served in various consulting roles and as an adjunct professor in the Carlson School of Management at the University of Minnesota.
Andrew Bomett is the Director, R&D/IT Global Product Cybersecurity at Boston Scientific, focused on the safety and security of the company’s products, applications and supporting infrastructure. Before that, he was a principal security analyst in Mayo Clinic’s Clinical Information Security team. He has over 10-years’ experience in risk-driven healthcare security architecture, ranging from embedded systems to IT infrastructure, with a focus on medical device security. Andrew holds a bachelor’s degree in computer science from Southwest Minnesota State University and a master’s degree in security technologies (MSST) from the University of Minnesota. He is certified as both CISSP and GCFE.
Ken Hoyme is senior fellow, global product cybersecurity at Boston Scientific. He has over 35 years’ experience in the design of regulated safety-critical secure systems. At Boston Scientific, he drives processes and practices for pre- and post-market cybersecurity risk management across the company’s products and services. Hoyme is co-chair of H-ISAC’s Medical Device Security Information Sharing Council (MDSISC) and past co-chair of AAMI’s Device Security Working Group and a member of AAMI’s BI&T Editorial Board. Previously he was at Adventium Labs performing government funded research on the intersection of safety and security for cyber-physical systems. Prior to that, he was a Senior Fellow at Boston Scientific where he was the systems lead for the development of the LATITUDE Remote Patient Management system. He also spent 18 years as a senior fellow at Honeywell’s Corporate Research lab. He was awarded Honeywell’s highest technical recognition for his work on the Boeing 777. Ken has been granted 40 US and 9 International patents.
What is the Center for Medical Device Cybersecurity?
Medical device security is a growing need for medical device manufacturers, healthcare delivery organizations, governmental research laboratories and federal agencies like the Food and Drug Administration. Mitigating security risks for medical devices requires the expertise of computer scientists and software engineers, medical device innovators, policymakers, and healthcare leaders and practitioners. In our increasingly interconnected world, medical devices from pacemakers to medication dispensing stations and patient databases require top-of-the-line cybersecurity. The CMDC seeks to assist stakeholders in collaborating on and meeting these needs by leveraging a multidisciplinary community of researchers and industry partners.
The CMDC’s mission is to foster university-industry-government partnerships to assure that medical devices are safe and secure from cybersecurity threats through pre-competitive R&D, targeted training programs, robust security assessments, and informed regulation and policy. It is focused on creating a collaborative hub where research, information sharing and education can thrive. Through a combination of industry partnerships, networking opportunities and training exercises we aim to create a valuable experience for industry members, faculty and students alike.
If your company or organization is interested in getting involved or becoming a member, please visit the CMDC website.
Introduction to Medical Device Cybersecurity will consist of four modules. Each module will be broken down into two two-hour sessions, for a total of 16 learning hours.
1. Module 1: Network and Data Security in Healthcare (4 hours)
In this module, the current risk and threat landscape will be explored. Students will learn the challenges of providing optimal care while maintaining safety and compliance and the vital role that device security plays in doing so. A relevant case study will be used to help participants gain awareness and understanding about the importance of Security by Design and the unique role of product development professionals in meeting the expectations of key stakeholders.
2. Module 2: Cybersecurity Regulations, Industry Standards, Corporate Policies and Best Practices: The US, Canada and Europe (4 hours)
In this module, attendees will learn the regulatory environment in which all medical products are commercialized in the US as well as Europe. The evolution in thinking at the FDA over the past several years specific to medical device cybersecurity will be reviewed and the expectations of the agency related to both Regulatory clearance (I.e., clearance to market and sell based on safety and effectiveness) as well as compliance (i.e., Quality systems Management throughout the TPLC) will be discussed. Key guidance documents by HHS/FDA in the US and the EU Medical Device Regulation and other EU directives will be reviewed. An understanding of Industry Standards (AAMI, ISO, IEC) and company-specific (internal) policies/practices driven by Corporate Strategy will also be delivered. Relevant case studies will be used to ensure participants gain knowledge that is generalizable to their own work.
3. Module 3: Security by Design in Medical Product Development (4 hours)
In this module, attendees will learn how an understanding of risk, informed by regulation and policy, can be applied to their work and help prioritize product design, development, and testing (V&V) to meet critical security requirements (i.e., regulatory, standards and security best practice) within the broader design requirement to gain clearance to market and sell in the US and EU. The integration of security by design into the Total Product Life Cycle will be explored, and learnings will be reinforced through one or more practical exercises.
4. Module 4: Integrating Product Risk and Enterprise Risk (4 hours)
In the final module, attendees will learn how project and team-level risk assessment and mitigation integrate and support enterprise-level risk management processes (e.g., legal, quality, regulatory and operations). Attendees will learn how to use purpose-built risk analysis tools (e.g., Common vulnerability Scoring system) and how to incorporate this into QMS-mandated total product lifecycle management AND enterprise-level risk management strategy. Their obligation to post-market vigilance and continual improvement will also be discussed. This module will also review risk concepts that include Threat modeling, Third party/supply chain risk, vendor relations, strategic partnerships, and risk stratification (FDA).