Medical Device Cybersecurity Modules Overview Hero Banner

Medical Device Cybersecurity Training

Protecting patient safety begins with protecting the technology that delivers care.

This blended training program equips healthcare technology and security professionals with the knowledge, tools, and confidence to manage cyber risk across the medical device ecosystem. From infusion pumps to imaging systems, participants learn how to align technical controls, operational processes, and governance practices using the NIST Cybersecurity Framework (CSF) and other industry recognized frameworks. 

Curriculum Icon

Format

Blended Learning 
(Virtual + Self-paced)

Asynchronous Icon

Duration

Eight Weeks 
(One Module Per Week)

Flexibility Icon

Certificate

Certificate of Completion available

Strong Network Icon

Focus Areas

Medical Device Security, Risk Management, 
Compliance, and Operational Resilience

Each week, participants will complete interactive lessons, real-world case studies, and scenario-based exercises designed to strengthen the ability to identify, protect, detect, respond, recover, and govern — the six core functions of the NIST CSF. The program bridges the gap between HTM, IT, and cybersecurity leadership, ensuring everyone speaks the same language of risk and resilience.

Healthcare Technology Management Image Thumbnail

Healthcare Technology Management (HTM) and Clinical Engineering Professionals

IT and Information Security Image Thumbnail

IT and Information Security Staff supporting biomedical or operational technology

Directors, VP’s, and CISOs Image Thumbnail

Directors, VPs, and CISOs responsible for cybersecurity program oversight

Regulatory and Compliance Leaders Image Thumbnail

Regulatory and Compliance Leaders aligning to HICP, ISO/IEC 27001, HIPAA Security Rule, and DNV requirements

Modules

Expand all

Module 1 – From Inventory to Intelligence: Medical Device Security Foundations (4hrs)

  • Understanding the medical device connected ecosystem
  • Significance of device telemetry and network visibility
  • How and which device attributes to collect on devices, best practices to store and use
  • Building and maintaining an accurate inventory
  • Best practices for reconciling inventory in the CMMS for security initiatives
  • Device behaviors, creating baselines, usage patterns, and detecting abnormal behavior
  • Utilizing data analytics for business decisions
  • Device utilization for reallocation and capital planning
  • Device location analysis for staff efficiencies and regulatory compliance
     

See Module One

Module 2 – Lifecyle in Focus: Medical Device Cyber Risk from Procurement to Retirement (4hrs)

  • Secure procurement and vendor risk management
  • Identification of contract language for procurement of assets, evaluation of criteria for audibility and accountability
  • Conducting a pre-procurement assessment
  • Contacting vendors, acquiring security documentation, MDS2s, SBOMS
  • Identify MDS2 documents, review and cross reference for versions, and best practices for storing and reviewing
  • Properly onboarding devices by hardening, applying controls, and recording of controls applied
  • Tracking lifecycle management, planning for technology debt, and using cyber risk to support capital planning
  • Incorporating cyber best practices into PMs/CMs
  • Media sanitization
  • Replacement planning 

    See Module Two 

Module 3 – Beyond the Patch: Vulnerability Management (5hrs)

  • Concepts and terminology
  • Identifying threats, external, external, and emerging
  • How to identify ICSMA/ICS advisories, where to find them, subscribe, how to review, how to prioritize
  • Understanding and categorizing vulnerabilities (network, physical, utilities, supply-chain, cloud, etc.)
  • Understanding CVEs and how to the CVSS scoring system works
  • Prioritizing CVEs and how CVSS and exploitability are applicable
  • Correlating vulnerabilities and device criticality and clinical function
  • Workarounds for unpatchable or legacy devices
  • Creating a vulnerability management program including scope, process, procedures, and alignment
  • Metrics (KPIs, CSFs) associated with vulnerabilities
  • Vulnerability communication and workflow integration


See Module Three

Module 4 – Patching with Precision: Managing Medical Device Updates in Clinical Environments (4hrs)

  • Fundamentals of device patching
  • Change management processes and procedures for medical devices
  • Identification of clinical impediments, system downtimes, and activities associated with patching devices
  • Identifying devices that are patchable and establishing cadence and roll-back plan
  • Installing and verifying patches on devices
  • Metrics (KPIs, CSFs) associated with patching devices
  • Tracking compliance and resourcing efforts for patching
     

See Module Four

Module 5 – Governance in Action: Building Accountability for Medical Device Security (4hrs)

  • How to establish a charter, identify the objective, create the cadence, and stakeholder accountability
  • Building a strategy and/or aligned with the organization’s strategy and mission
  • Setting cybersecurity goals for the HTM team and goal alignment with cyber/IS
  • Creating a roadmap with future projections
  • How to build a business case for tools, FTEs, and other resources
  • Building an education and training roadmap and budget
  • Understanding service management for HTM, define SLAs, and create guidelines for the team
  • Building a RACI
  • Tracking lifecycle management, planning for technology debt, and using cyber risk to support capital planning
  • Policy, procure, guidelines gap analysis, departmental vs organizational
  • Creating workflows and guidelines for front line staff
  • Providing strategic departmental oversight for organization capabilities and governance
     

See Module Five

Module 6 – Managing What Matters: Risk Management for Medical Devices Security (4hrs)

  • Define risk management lifecycle – Risk ID, Risk Assessment, Risk Response & Mitigation, Risk and Control Monitor and Report
  • Establish context of risk by knowing what the organizations risk appetite and thresholds are
  • Identifying inherent risk vs residual risk vs current risk (residual risk = inherent – cumulative effect of controls
  • Performing a risk assessment (risk id, risk analysis, risk evaluation)
  • Contextualizing risk by creating a risk profile incorporating (data, patient, business impact and likelihood)
  • Building assessment types and determining when they should be conducted (procurement/onboarding, annual vs environment or significant system changes)
  • Countermeasure and control evaluation and identification mapped back to the risks identified
  • Identification of risk treatment options, how to track these options, and best practices for deployment and monitoring
  • Evaluating and obtaining support for risk response options – acceptance, mitigation, transfer, avoidance and justifying your response (cost-benefit, ROI, LOE, etc)
  • Understanding and tracking control ownership and processes
  • Control management procedures – proper installation, change management, training to monitor and review, assignment of responsibility, creating a schedule for review and reporting
  • Administrative controls – managerial – oversight, reporting, procedures, and operations of processes
  • Technical controls – provided using technology, piece of equipment or device, range from firewalls, NAC, to password complexity and A/V software
  • Physical controls – badges, locked doors, CCTV, etc.
  • How to present medical device security and risks to leadership
     

See Module Six

Module 7 – When Devices Go Dark: Incident Response, Business Continuity & Contingency Planning for Medical Device Security (4hrs)

  • How to build a communication plan with swimlanes and process for specific scenarios (ransomware, loss of power, fire, etc.)
  • How to manage vendors and hold them accountable for security requirements (compensating controls for vendors)
  • Working with vendors to support organizational mission and objectives
  • Incorporating CE operations into IR plans and procedures (including communication procedures)
  • Conducting a table tabletop on IR plans and evaluating lessons learned
  • Incorporating incidents and outcomes to BIA
  • How to build and align a continuity and contingency plan and what elements are included
  • Defining the difference between IR, DR, BCP
  • Identify the organization’s most critical and sensitive assets (BIA)
  • Determining optional alternatives, redundancy availability, partners and suppliers, MTTR, RPO (BIA)

  • Creating asset contingency plans based on organizational criticality and sensitivity (BIA)

    See Module Seven

Module 8 – Navigating the Rules: Regulations, Resources, and the Future of Medical Device Security (3hrs)

  • Discussing, identifying, and applicability of (CMS, CDRH/FDA)
  • Cross-referencing guidelines and standards to support your program (HITRUST, 405d, NIST CSF, MITRE, ISO/ANSI, etc.)
  • How to map and use the standards and guidelines to your maturity model and desired program outcomes
  • Creating criteria and use cases for security technology selection and mapping to maturity
  • Using security tools to support initiatives
  • Training, development, and maturity with security tools
  • Cross-referencing security tool stacks
  • Joining the H-ISAC community, benefits, and shared resources
     

See Module Eight

Help safeguard the future of healthcare

Learn more about how Medical Device Cybersecurity Training fits into your organization’s needs.

Start the Conversation