Course Description
This interdisciplinary and experiential special topics course explores
the technical and regulatory aspects of medical device cybersecurity,
focusing on the unique challenges in securing operational technology
(OT) in healthcare systems—as opposed to traditional Information
Technology (IT). Students will study foundational concepts such as
embedded system security, FDA regulatory guidance, federal and
international law on medical device security, and resilience
engineering.
New for 2026: The course will also introduce students to
Whole-Hospital Simulators (WHS)—realistic testbeds that emulate
healthcare environments—and Vulnerability Mitigation Platforms
(VMPs), which safeguard medical devices and hospital networks.
Students will explore how these platforms enable system-level security
evaluation, experience a paradigm shift in the medical device security
regulatory frameworks to shift evaluations from component-level
thinking of individual medical devices to whole-hospital system
thinking of oodles of interacting medical devices and more.
Through critical essay writing, case studies, site visits to hospitals
and operating rooms, interviews with medical device manufacturers, and
role-play debates involving FDA reviewers, students will develop
critical skills for careers in healthcare cybersecurity.
Target Audience:
- CY 4973: Undergraduates with interest in cybersecurity, medical device design, or patient safety.
- CY 7790: Graduate students in cybersecurity, computer engineering, bioengineering, computer science, electrical engineering, regulatory affairs, law, or related fields.
-
For students unable to register via Banner because of missing
prerequisites,
please fill out this form by December 1 to request consideration of a waiver. - Not already a student? Applications for the masters program are due December 1, 2025 for enrollment beginning January 2026 in Arlington, VA or Boston MA. For other degree programs, see the BS, masters, or PhD application deadlines from the Khoury College of Computer Sciences or the College of Engineering.
Course Syllabus
Instructors:
Learning Objectives
- Technical Proficiency: Apply security assessment techniques such as threat modeling, fuzz testing, software bill of materials (SBOM) generation and ingestion, and resilience testing to medical devices.
- Regulatory Knowledge: Understand and navigate regulatory affairs for medical device security, including U.S. FDA and international standards.
- Incident Management Skills: Engage in a simulated cybersecurity recall, working directly with FDA reviewers and device industry professionals.
- Ethics: Explore the ethical and privacy implications of cybersecurity in healthcare, especially concerning patient safety.
- Experiential Learning: Gain firsthand insights through hospital site visits, operating room observations, and interviews with medical device manufacturers and FDA regulators.
- Term Project Collaboration: Work in interdisciplinary teams to mirror real-world scenarios, balancing technical, legal, and regulatory considerations for a term paper on medical device cybersecurity.
- Technical Communication: In-class essay writing exercises combined with at-home editing will provide opportunities for students to learn how to convey complicated cybersecurity arguments with cogent and well organized prose to prepare them for skills needed in the workplace when reporting to future supervisors, as well as preparing students for future leadership roles in conveying technical subjects to hospitals, regulators, laypersons and the public.
Course Structure
- Boston, MA (Northeastern campus at Ruggles)
- Arlington, VA (Rosslyn Metro Stop)
Final Term Project
- Final Term Project (40%)
- Individual Homework/Labs (40%)
- Mock cybersecurity recall debate (10%)
- Class Participation (10%)
Required Texts and Resources
- Open courseware readings provided on the course portal
Policies and Expectations
Academic Integrity: All students must adhere to Northeastern’s academic integrity policy, including prohibitions on unauthorized testing on live systems and plagiarism.
Collaboration: Group work is required for the term project; however, individual assignments must reflect each student’s own understanding. Graduate students will mentor undergraduates by providing project feedback.
AI: You must disclose your generative AI prompts as a form of “showing work” so we can assess that the original ideas are your own. Rule of Thumb: If AI use is invisible to us, you are likely safe. If we detect hallucinations or obvious AI artifacts, penalties will apply. Absolutely. Keenly.
No remote learning: Because of the discussion oriented nature as well as site-visit style of the course, there is no remote participation option. However, if a student misses a class, the student is ultimately responsible and accountable for catching up on their own. Arlington, VA students will have real-time simulcast lectures and labs jointly held with the Boston students.
Respect for patients: Students will have the unique opportunity to observe patients in sensitive medical settings, such as surgical operating rooms. With this privilege comes the responsibility to uphold the highest standards of respect. Students are expected to prioritize safety by adhering to protocols (e.g., wearing provided scrubs, maintaining proper hygiene, and preparing adequately, such as eating enough protein to remain steady while standing for extended periods). Equally important is demonstrating respect for the culture of healthcare, recognizing that patients voluntarily allow their procedures to serve as valuable learning experiences.
Late Submissions: Students are allowed one penalty-free late pass per semester for an individual assignment. For additional late submissions, a 20% per day penalty will be applied. Note that term projects are not eligible for penalty-free late passes. For term projects, each day late (even by one minute past the deadline) will result in a full letter grade deduction.
Disability Accommodations: Students requiring accommodations should contact the Disability Resource Center and notify the instructor.