Whiteboards, implants, and threats, oh my!

Learn how to create, maintain, and update threat models for medical devices in our training jointly developed with the Data Protection Institute.

Contact Us

Why Threat Model?

Regulators, including the U.S. Food & Drug Administration (FDA) and the European Union under MDR/IVDR, are embracing threat modeling as a recommended best practice to assure the appropriate reduction of cyber risks of medical devices. Threat modeling identifies & helps reduce potential security issues across risk types for makers and users; including patient safety risks. R&D teams need to incorporate security into their continuous design and engineering processes. Ensures that your team has the ability to identify threats and iterate on existing threat models that are generated. Allowing security to be a part of the medical device development lifecycle.

Schedule Now

The Details

Who should take part

If you are involved in any aspect of developing and maintaining medical devices and managing their security risks, this course is for you!
You do not need to have a background in security. All that we ask is that you come with a willingness to learn and ask as many questions as possible.

Why take this course

MedCrypt, a leading cybersecurity firm 100% focused on medical devices, and Toreon’s Data Protection Institute (DPI), a globally-recognized leader in cybersecurity and privacy training, have partnered to create a targeted threat modeling training specifically for Medical Device Makers.

When is it

Join us  September 11th until September 14th 2023 for the training!

Classes will be held from 12 PM ET/9AM PT/18h CET to 4PM ET/1PM PT/22h CET every day, and participants will be able to start working on the 8 hours of preparatory self-paced materials on September 11th.

What do you need

You only need three things:    
1. stable internet access
2. your own laptop (preferred) or tablet
  3. access to MS Teams with sharing turned on

And... (most importantly) bring an excitement to learn!

Threat Modeling Example used in the Training

Request a demo

At a high level, this course will teach you to:                  

  • Create, maintain, and update a threat model for a medical device
  • Understand how to use and communicate the threat modeling outputs for engineering and regulatory submissions

Each stage of the threat modeling process will use a fictional medical device. We’ll also link each aspect of the training back to regulatory requirements so you can see how this will directly impact your submission materials.

At the end of the course, you'll build your own threat model using our templates, receiving personalized feedback, and then you'll be ready to start threat modeling your own devices!

Educational approach of this course

Threat modeling can seem like a daunting task that’s hard to apply for medical devices, and engineers may be unsure of its value. We understand this and have designed the course to address those concerns, centering the training around a fictional medical device and ensuring that each stage is explicitly linked to medical device examples.

We have designed this training to bring learners to comfort and ease with threat modeling, and lowering the barrier to entry. The training is a hybrid format that combines self-paced learning with an intensive four live labs. You’ll start your learning on our hybrid learning platform, which will walk you through a series of assignments to be completed before the live sessions. You’ll walk through the materials at your own pace, as well as interact with your peers on a forum that are part of the assignments. During this time our team will be available for any questions you might have.

We want to ensure that you get the most out of this training, and we’ll spend the live sessions applying the concepts from the preparatory material to a fictional medical device. We’ll periodically put you in breakout rooms so that you’ll brainstorm and apply what you are learning to something that you’ll have some familiarity with. You’ll not only see how to use threat modeling for medical devices, but also start to build templates and documents that you can leverage on your own work.

Exercises include (a more comprehensive list can be found in the training outline):

  • Diagramming a clinical decision support application that uses the same REST hosted backend as a mobile patient dashboard
  • Discussing how an attacker might gain access to an implanted device using a compromised hospital’s network
  • Evaluating threats for an implantable device, including deciding what features/integrations to build based on risk and business evaluation
  • Mapping the results of a threat model to parts of the regulatory submission for FDA

As we go through each stage of the threat modeling process, we’ll link it back to regulatory requirements so you can see how this will directly impact your submission materials. Our ambition is that you’ll see how much threat modeling can help you with regulations and ensure your devices leverage secure architecture.

Finally, you will create your own threat model. You’ll be able to do this using what you’ve learned, combined with templates that we’ll provide you. We’ll then review those threat models individually with you approximately one month after the live sessions and answer any questions you might have about regulatory requirements.

Schedule Now

We live and breathe healthcare cybersecurity

A medical device may look like just another IoT device, but regulatory constraints and their unique use case require a healthcare-first approach to cybersecurity. MedCrypt's solutions are built specifically for medical devices, which means clinical functionality, patient safety, and care delivery are always the highest priority.