Course Description

This interdisciplinary and experiential special topics course explores the technical and regulatory aspects of medical device cybersecurity, focusing on the unique challenges in securing operational technology (OT) in healthcare systems—as opposed to traditional Information Technology (IT). Students will study foundational concepts such as embedded system security, FDA regulatory guidance, federal and international law on medical device security, and resilience engineering.

New for 2026: The course will also introduce students to Whole-Hospital Simulations (WHS)—realistic testbeds that emulate healthcare environments—and Vulnerability Mitigation Platforms (VMPs), which safeguard medical devices and hospital networks. Students will explore how these platforms enable system-level security evaluation, experience a paradigm shift in the medical device security regulatory frameworks to shift evaluations from component-level thinking of individual medical devices to whole-hospital system thinking of oodles of interacting medical devices and more.

Through critical essay writing, case studies, site visits to hospitals and operating rooms, interviews with medical device manufacturers, and role-play debates involving FDA reviewers, students will develop critical skills for careers in healthcare cybersecurity. Graduate students in CY 7790 will complete additional assignments to deepen their understanding and demonstrate advanced competency.

Course Syllabus

Instructors: Prof. Kevin Fu      Axel Wirth (Chief Security Strategist at MedCrypt)

Kevin Fu, Ph.D., is Professor of Electrical & Computer Engineering, the Khoury College of Computer Sciences, and Bioengineering at Northeastern University. He leads research in analog cybersecurity, focusing on threats to the physics of computation and sensing, with work that has influenced medical device manufacturers, global regulators, and international safety standards. A widely published expert in medical device security, healthcare ransomware, automobile cybersecurity, RFID security, and web security, Dr. Fu previously served as Acting Director of Medical Device Cybersecurity at the U.S. FDA and Program Director for Cybersecurity at its Digital Health Center of Excellence. He has testified before Congress, co-chaired the AAMI cybersecurity working group to develop FDA-recognized consensus standards, and co-founded N95decon.org during the COVID-19 pandemic. He holds B.S., M.Eng., and Ph.D. degrees from MIT.

As Chief Security Strategist at Medcrypt, Axel Wirth is focusing on cybersecurity in the healthcare industry. Over 15 years he has developed a deep understanding of the unique security challenges in this space.
Axel has a proven track record of developing and implementing effective security solutions that ensure the confidentiality, integrity, and availability of medical devices and the sensitive data they manage. He teaches courses in medical device cybersecurity at the University of Connecticut and through AAMI and has contributed to several books. Axel is known for his exceptional problem-solving skills, technical knowledge, and excellent communication and leadership abilities. He is committed to advancing the field by ensuring that medical devices are secure, and patients are safe.
He holds a Master of Science in Engineering Management (MSEM) from The Gordon Institute of Tufts University and a Bachelor of Science in Electrical Engineering (BSEE) from Düsseldorf University of Applied Sciences.

Target Audience:

• CY 4973: Undergraduates with a background in cybersecurity. Students who have completed at least one semester at Northeastern may apply for consideration of a prerequisite waiver by emailing k.fu@northeastern.edu with the reasons you wish to learn about medical device cybersecurity.
• CY 7790: Graduate students in cybersecurity, computer science, or related fields.

Learning Objectives

1. Technical Proficiency: Apply security assessment techniques such as threat modeling, fuzz testing, software bill of materials (SBOM) generation and ingestion, and resilience testing to medical devices.
2. Regulatory Knowledge: Understand and navigate regulatory affairs for medical device security, including U.S. FDA and international standards.
3. Incident Management Skills: Engage in a simulated cybersecurity recall, working directly with FDA reviewers and device industry professionals.
4. Ethics: Explore the ethical and privacy implications of cybersecurity in healthcare, especially concerning patient safety.
5. Experiential Learning: Gain firsthand insights through hospital site visits, operating room observations, and interviews with medical device manufacturers and FDA regulators.
6. Term Project Collaboration: Work in interdisciplinary teams to mirror real-world scenarios, balancing technical, legal, and regulatory considerations for a term paper on medical device cybersecurity.
7. Technical Communication: In-class essay writing exercises combined with at-home editing will provide opportunities for students to learn how to convey complicated cybersecurity arguments with cogent and well organized prose to prepare them for skills needed in the workplace when reporting to future supervisors, as well as preparing students for future leadership roles in conveying technical subjects to hospitals, regulators, laypersons and the public.

Requirements (CY 7790)

Graduate students enrolled in CY 7790 will undertake additional responsibilities, including:

• Advanced Research Component; Review recent literature on medical device cybersecurity, presenting findings on trends and challenges.
• Extended Final Term Project; Complete an enhanced final project that includes a research-based component and a research-style report.
• Peer Review: Writing critical reviews of undergraduate essays.
• Mentorship: Provide mentorship and feedback on undergraduate projects, simulating real-world collaborative feedback.

Course Structure

• Schedule: TBD for 2026
• Classroom: Building TBD on Tue 11:45 a.m. – 1:25 p.m., Thu 2:50 – 4:30 p.m.

Final Term Project

TBD for 2026

• Final Term Project (40%)
• Individual Homework/Labs (40%)
• Mock cybersecurity recall debate (10%)
• Class Participation (10%)

Required Texts and Resources

• Open courseware readings provided on the course portal

Policies and Expectations

Academic Integrity: All students must adhere to Northeastern’s academic integrity policy, including prohibitions on unauthorized testing on live systems and plagiarism.

Collaboration: Group work is required for the term project; however, individual assignments must reflect each student’s own understanding. Graduate students will mentor undergraduates by providing project feedback.

No remote learning: Because of the discussion oriented nature as well as site-visit style of the course, there is no remote participation option. However, if a student misses a class, the student is ultimately responsible and accountable for catching up on their own.

Respect for patients: Students will have the unique opportunity to observe patients in sensitive medical settings, such as surgical operating rooms. With this privilege comes the responsibility to uphold the highest standards of respect. Students are expected to prioritize safety by adhering to protocols (e.g., wearing provided scrubs, maintaining proper hygiene, and preparing adequately, such as eating enough protein to remain steady while standing for extended periods). Equally important is demonstrating respect for the culture of healthcare, recognizing that patients voluntarily allow their procedures to serve as valuable learning experiences.

Late Submissions: Students are allowed one penalty-free late pass per semester for an individual assignment. For additional late submissions, a 20% per day penalty will be applied. Note that term projects are not eligible for penalty-free late passes. For term projects, each day late (even by one minute past the deadline) will result in a full letter grade deduction.

Disability Accommodations: Students requiring accommodations should contact the Disability Resource Center and notify the instructor.