The course EN.601.444/644 and EP.695.74 Medical Device Cybersecurity offers a comprehensive examination of the FDA's final cybersecurity guidance for premarket submissions and postmarket activities, emphasizing its requirements and the practical application of processes to achieve compliance.

Students will gain a deep understanding of how these guidelines influence the development of medical devices, spanning the entire lifecycle from initial design and development to final deployment. The curriculum emphasizes methodologies required to meet these standards, focusing on applying threat modeling, conducting cybersecurity risk assessments, and performing penetration testing adapted to clinical environments.

This course employs real-world case studies, practical exercises, and hands-on simulations to bridge theory and application. Students will also be assigned a course-long project in which they design and develop a medical device prototype from inception, integrating robust cybersecurity measures throughout the development process.

In this project, students will collaborate to develop a functioning medical device using a Raspberry Pi 5, open-source software, and various health-related sensors such as a pulse oximeter and blood pressure cuff. The device will capture, process, and securely store patient data, leveraging AWS Cloud or BYOD mobile device applications to ensure data accessibility while meeting regulatory and cybersecurity standards. Teams will work in weekly sprints, assigning each student specialized roles, including Project Manager, Product Developer, Product Security, Regulatory Engineer, and Quality Engineer.

This hands-on approach provides experience in technical development, data security, regulatory compliance, and quality management within the medical device industry.

This course features guest lectures from practitioners across the medical device ecosystem, including regulators, independent consultants, device manufacturers, and clinical and industry leaders. Each perspective illuminates how cybersecurity requirements are interpreted, implemented, and enforced in practice.

The following is a list of guest lecturers who provided their time and expertise to support the class and students.

• D. Donovan, "Johns Hopkins students thwart fitness tracker hackers," Johns Hopkins University Hub, May 20, 2025. https://hub.jhu.edu/2025/05/20/medical-devices-cybersecurity-class-hopkins/.

1. Cardio Crisis: ECG sensors monitor heart activity placed on the body and connect to an SBC that transmits the data via Bluetooth to a smartphone application. It can detect cardiac irregularities in real time, enabling medical personnel to respond quickly.
2. HappyKittySleepyKitty: Monitors sleep patterns and stress levels in individuals with PTSD and anxiety. The device tracks physiological indicators that correlate with stress spikes and sleep disturbances, providing real-time feedback and AI-driven intervention suggestions to improve users' well-being.
3. NeuroMotion: Tracks movement and other medical data for patients who have Parkinson's disease to determine if treatment is beneficial. It helps patients track their progress and optimize treatment plans, which can support better recovery and positive mental health outcomes.
4. PulseLite: Creates, analyzes, and displays echocardiographic data collected on a patient's body and provides remote monitoring to alert emergency contacts when abnormalities such as heart attacks are detected.
5. ThermaTrack: Real-time tracking of a patient's body temperature that can alert caregivers when it detects abnormal variations. The data is stored securely in the AWS cloud, providing direct access to the collected data via a web and mobile application.

An alumni mailing list is coming soon!

Please contact Dr. Michael Rushanan (Principal Investigator) at mrushan1@jh.edu for any questions.