
Fundamental Series
Part of MedSec Academy
The Fundamentals Series of courses help bring cybersecurity awareness to less experienced staff in cybersecurity or cybersecurity practitioners moving into the medical device regulatory environment.

Course 001 • FDA Cybersecurity Submissions: Understanding the Documentation Requirements
​
Description: This course will go into detailed overviews of the deliverables needed for medical device cybersecurity throughout the total product lifecycle. It will help ensure your organization is aware of how to meet regulatory requirements for submissions and when the deliverables should be generated.
Audience: This course is best suited to those who already have awareness of medical device cybersecurity and are interested in a more detailed understanding of FDA deliverables and when to generate them. This may include software engineers, cybersecurity staff, regulatory affairs staff, and management.
​
Planned Agenda:
-
What is Cybersecurity?
-
Importance of Cybersecurity for Medical Devices
-
Regulation of Cybersecurity – US Focus
-
Cybersecurity in Design
-
Postmarket Responsibilities

Academy Difficulty Scale:
Course 002 • Understanding Your New Sandbox: Preparing Cybersecurity Professionals in the Medical Device Space
​Description: The need for top security talent in the medical device industry far exceeds the currently available pool. That means that we often welcome those outside of the industry to fill those seats. This can be a challenge both for the new hire as well as the team that they join. Working in such a highly regulated industry brings many rules that can seem both onerous and confusing. MedSec would like to help. This course is built to connect classic cybersecurity knowledge around the framework of the compliance considerations of working in the medical device industry.
​
Audience: This course is best suited for technical staff whose careers have not historically been in the medical device industry and would benefit from a better understanding of the regulations and best practices.
​
Planned Agenda:
-
Medical Device 101: How to navigate regulated space
-
Importance of documentation and process
-
Moving fast and making progress in a regulated environment
-
Pitfalls to avoid​​

Academy Difficulty Scale:
Course 003 • International Cybersecurity Regulations
​
Description: The US FDA has been a strong driver of medical device security expectations, but they are not the only regulators outlining medical device cybersecurity expectations. This course will review the specific medical device cybersecurity requirements for countries outside of the US, including common threads amongst the countries.
​
Audience: This course is best suited for staff who are responsible for navigating cybersecurity expectations outside the US, either to maintain marketed products or to enter into a market for the first time.
​
Planned Agenda:
-
Common threads across the globe
-
IMDRF: Driving harmonization in thought and policy
-
Big hitters: European Union, Japan, Australia, Canada, China
-
Other markets to consider​

Academy Difficulty Scale:
Course 004 • Cybersecurity Standards for Medical Devices
​
Description: Standards are the backbone of any regulated industry. In some cases, they are mandatory, such as IEC 81001-5-1 in Japan. In other cases, they can be leveraged to develop processes that align with regulators’ thinking, such as AAMI TIR 57 in the US. Whatever the driver, standards help you build process and products faster and with a higher chance of success with regulators and customers. This course will review not only the content of key cybersecurity standards but also how to strategically use them.
​
Audience: This course is best suited for those seeking a better understanding of how to use cybersecurity standards in the medical device industry.
​
Planned Agenda:
-
How are cybersecurity standards used in the medical device industry
-
Medical device specific cybersecurity standards: domestic and international
-
General cybersecurity standards and their use
-
Non-standards for cybersecurity such as NIST
-
Useful standards from other industries such as industrial control standard

Academy Difficulty Scale:
Course 005 • Cybersecurity Architecture Views for Medical Devices
​
Description: Of the many expectations in the new FDA Premarket Cybersecurity guidance, Cybersecurity Architecture Views have been one of the more challenging deliverables for medical device manufacturers to meet. The need for multiple diagrams and the level of detail needed in each view has caught many manufacturers by surprise. This course will help manufacturers better understand how to approach the Architecture Views and develop strategies for how to make these more successful in their submissions and useful throughout the device lifecycle.
​
Audience: This course is for staff at medical device manufacturers who are responsible for generating or reviewing Threat Modeling and Architecture Views documentation for medical devices.
​
Planned Agenda:
-
Describe the structure of Architecture Views and their benefits to medical device manufacturers
-
Discuss the similarities and differences between Threat Modeling and Architecture Views
-
Identifying when different Views are applicable to a medical device
-
Understand how Architecture Views can be used throughout the Total Product Lifecycle

Academy Difficulty Scale:
Course 006 • IEC 81001-5-1: Understanding and Integrating for Secure Medical Device Lifecycles
​
Description: IEC 81001-5-1 has been gaining significant traction with regulators like those in Japan and the European Union. It is also referenced by the FDA as an example of a Secure Product Development Framework (SPDF).This course will help with understanding and integrating this standard which can help ensure you are developing and maintaining more secure devices and improve chances for success with regulators.
​
Audience: This course is for medical device cybersecurity team members and regulatory affairs personnel at medical device manufacturers who are looking to better understand IEC 81001-5-1 and its use.
​
Planned Agenda:
-
Foundation of the Standard
-
Understanding the Secure Device Lifecycle
-
Correlation between 62334 and 81001-5-1
-
Annex F for Transitional Software
-
Integration of 81001-5-1 into Processes

Academy Difficulty Scale:
Course 007 • Postmarket Cybersecurity Management: Understanding the Processes and Requirements
​
Description: Maintaining medical device cybersecurity is a responsibility of medical device manufacturers throughout the Total Product Lifecycle (TPLC). This cybersecurity responsibility is changing the resource needs and processes for how manufacturers do business. This course will discuss the various postmarket processes needed to maintain medical device cybersecurity and the applicable requirements governing these processes.
​
Audience: This course is for medical device cybersecurity team members, regulatory affairs personnel, and quality assurance personnel at medical device manufacturers who are looking to better understand postmarket cybersecurity processes and requirements.
Planned Agenda:
-
Vulnerability Management
-
Coordinated Vulnerability Disclosure
-
Incident Response
-
Communications
-
Post Market Risk Management
-
Updates
-
Guidance

Academy Difficulty Scale:
Course 008 • Scoring your Cybersecurity Risks: Understanding Options and Methodology on Risk Estimation Estiimation
​
Description: For effective risk management, cybersecurity risks require a different scoring mechanism than other design disciplines due to the human actor involved. This process is further challenged by there not being an agreed upon methodology by the medical device sector to evaluate cybersecurity risks. This course will help you understand different methodologies for cybersecurity risk estimation and when to consider using particular methods.
​
Audience: This course is for medical device cybersecurity team members, regulatory affairs personnel, and quality assurance personnel at medical device manufacturers who are looking to better understand cybersecurity risk estimation and scoring.
​
Planned Agenda:
-
Cybersecurity Risk Assessment Methodology
-
Understanding Risk Scoring Options
-
Methodology Strengths and Weaknesses
-
Design Risks vs. Known Vulnerabilities
