Eight ideas, in order, that explain why medical device security is its own discipline — pulled from years of Medcrypt and MedISAO research, webinars, and field experience. No login required.
A pacemaker isn't a laptop. When it's compromised, someone's health is on the line.
Reframes cybersecurity away from IT jargon and toward the stakes unique to connected medical devices: clinical risk, not just data risk. This is the opening module — the "why should I care" before everything else.
Attackers don't need to hate hospitals. They just need an easy target — and medical devices are full of them.
Covers why healthcare and medtech are attractive targets — long device lifespans, legacy operating systems, connectivity, and now AI-accelerated exploit development. Uses real incidents as teaching moments rather than abstract theory.
FDA clearance means a device met a bar. It doesn't mean it's secure for its next ten years in the field.
Explains why regulation exists — FDA premarket guidance, Section 524B, EU MDR — without turning into a compliance-tool pitch. The point is why regulators started caring, which doubles as a plain-language regulatory-literacy primer.
The best time to fix a security problem is before the device exists on paper.
Demystifies the two most foundational engineering concepts — threat modeling and cryptography/PKI — for a general audience, echoing the accessible tone of the existing (separate) Threat Modeling Training program.
Every device is built on someone else's code. Most manufacturers can't say whose.
Introduces software transparency and open-source risk as a supply-chain story, not a tooling pitch — the "why" behind SBOM before the "how."
Getting cleared is the start line. The device still has to survive five, ten, fifteen years in the field.
Covers post-market vigilance, monitoring, and coordinated vulnerability disclosure — translating MedISAO's core value proposition into plain-language "why this matters" rather than membership-pitch language.
The manufacturer down the street just fixed a vulnerability that's probably in your device too. Are you hearing about it?
Explains information sharing and industry collaboration — JSP, HSCC, H-ISAC, CISA, the FDA/MedISAO MOU — as the reason organizations like MedISAO exist. A good place to make the MedISAO/Medcrypt relationship legible to a newcomer.
AI is speeding up attackers and regulators at the same time. Quantum computers will eventually break today's encryption.
Forward-looking module covering AI/ML in both offense and defense, post-quantum cryptography, and emerging connectivity standards — keeps the section from feeling static and gives it a reason to be revisited.
This section is the primer. MSI is the platform for teams ready to act on it.
Talk to an expert Explore the platform