Course Description

This interdisciplinary and experiential special topics course explores the technical and regulatory aspects of medical device cybersecurity, focusing on the unique challenges in securing operational technology (OT) in healthcare systems—as opposed to traditional Information Technology (IT). Students will study foundational concepts such as embedded system security, FDA regulatory guidance, federal and international law on medical device security, and resilience engineering.

New for 2026: The course will also introduce students to Whole-Hospital Simulators (WHS)—realistic testbeds that emulate healthcare environments—and Vulnerability Mitigation Platforms (VMPs), which safeguard medical devices and hospital networks. Students will explore how these platforms enable system-level security evaluation, experience a paradigm shift in the medical device security regulatory frameworks to shift evaluations from component-level thinking of individual medical devices to whole-hospital system thinking of oodles of interacting medical devices and more.

Through critical essay writing, case studies, site visits to hospitals and operating rooms, interviews with medical device manufacturers, and role-play debates involving FDA reviewers, students will develop critical skills for careers in healthcare cybersecurity.

Target Audience:

• CY 4973: Undergraduates with interest in cybersecurity, medical device design, or patient safety.
• CY 7790: Graduate students in cybersecurity, computer engineering, bioengineering, computer science, electrical engineering, regulatory affairs, law, or related fields.
• For students unable to register via Banner because of missing prerequisites,
  please fill out this form by December 1 to request consideration of a waiver.
• Not already a student? Applications for the masters program are due December 1, 2025 for enrollment beginning January 2026 in Arlington, VA or Boston MA. For other degree programs, see the BS, masters, or PhD application deadlines from the Khoury College of Computer Sciences or the College of Engineering.

Course Syllabus

Instructors:

Prof. Kevin Fu, PhD, is Professor of Electrical & Computer Engineering, the Khoury College of Computer Sciences, and Bioengineering at Northeastern University. He leads research in analog cybersecurity, focusing on threats to the physics of computation and sensing, with work that has influenced medical device manufacturers, global regulators, and international safety standards. A widely published expert in medical device security, healthcare ransomware, automobile cybersecurity, RFID security, and web security, Dr. Fu previously served as Acting Director of Medical Device Cybersecurity at the U.S. FDA and Program Director for Cybersecurity at its Digital Health Center of Excellence. He has testified before Congress, co-chaired the AAMI cybersecurity working group to develop FDA-recognized consensus standards, and co-founded N95decon.org during the COVID-19 pandemic. He holds B.S., M.Eng., and Ph.D. degrees from MIT.

Axel Wirth is co-author of the Medical Device Cybersecurity textbook. He serves as Chief Security Strategist at Medcrypt where he focuses on cybersecurity in the healthcare industry. In addition to his industrial work, Axel teaches courses in medical device cybersecurity at universities and through AAMI training. Axel is committed to advancing the field by ensuring that medical devices are secure, and patients are safe. He holds a Master of Science in Engineering Management (MSEM) from The Gordon Institute of Tufts University and a Bachelor of Science in Electrical Engineering (BSEE) from Düsseldorf University of Applied Sciences.

Learning Objectives

1. Technical Proficiency: Apply security assessment techniques such as threat modeling, fuzz testing, software bill of materials (SBOM) generation and ingestion, and resilience testing to medical devices.
2. Regulatory Knowledge: Understand and navigate regulatory affairs for medical device security, including U.S. FDA and international standards.
3. Incident Management Skills: Engage in a simulated cybersecurity recall, working directly with FDA reviewers and device industry professionals.
4. Ethics: Explore the ethical and privacy implications of cybersecurity in healthcare, especially concerning patient safety.
5. Experiential Learning: Gain firsthand insights through hospital site visits, operating room observations, and interviews with medical device manufacturers and FDA regulators.
6. Term Project Collaboration: Work in interdisciplinary teams to mirror real-world scenarios, balancing technical, legal, and regulatory considerations for a term paper on medical device cybersecurity.
7. Technical Communication: In-class essay writing exercises combined with at-home editing will provide opportunities for students to learn how to convey complicated cybersecurity arguments with cogent and well organized prose to prepare them for skills needed in the workplace when reporting to future supervisors, as well as preparing students for future leadership roles in conveying technical subjects to hospitals, regulators, laypersons and the public.

Course Structure

• Boston, MA (Northeastern campus at Ruggles)
Jan 07, 2026 – Apr 19, 2026
Tue
11:45 AM – 1:25 PM
Dodge Hall 070
Lectures
Jan 07, 2026 – Apr 19, 2026
Thu
2:50 PM – 4:30 PM
Dodge Hall 070
Labs
• Arlington, VA (Rosslyn Metro Stop)
Jan 07, 2026 – Apr 19, 2026
Tue
11:45 AM – 1:25 PM
TBD
Lectures
Jan 07, 2026 – Apr 19, 2026
Thu
2:50 PM – 4:30 PM
TBD
Labs

Final Term Project

• Final Term Project (40%)
• Individual Homework/Labs (40%)
• Mock cybersecurity recall debate (10%)
• Class Participation (10%)

Required Texts and Resources

• Open courseware readings provided on the course portal

Policies and Expectations

Academic Integrity: All students must adhere to Northeastern’s academic integrity policy, including prohibitions on unauthorized testing on live systems and plagiarism.

Collaboration: Group work is required for the term project; however, individual assignments must reflect each student’s own understanding. Graduate students will mentor undergraduates by providing project feedback.

AI: You must disclose your generative AI prompts as a form of “showing work” so we can assess that the original ideas are your own. Rule of Thumb: If AI use is invisible to us, you are likely safe. If we detect hallucinations or obvious AI artifacts, penalties will apply. Absolutely. Keenly.

No remote learning: Because of the discussion oriented nature as well as site-visit style of the course, there is no remote participation option. However, if a student misses a class, the student is ultimately responsible and accountable for catching up on their own. Arlington, VA students will have real-time simulcast lectures and labs jointly held with the Boston students.

Respect for patients: Students will have the unique opportunity to observe patients in sensitive medical settings, such as surgical operating rooms. With this privilege comes the responsibility to uphold the highest standards of respect. Students are expected to prioritize safety by adhering to protocols (e.g., wearing provided scrubs, maintaining proper hygiene, and preparing adequately, such as eating enough protein to remain steady while standing for extended periods). Equally important is demonstrating respect for the culture of healthcare, recognizing that patients voluntarily allow their procedures to serve as valuable learning experiences.

Late Submissions: Students are allowed one penalty-free late pass per semester for an individual assignment. For additional late submissions, a 20% per day penalty will be applied. Note that term projects are not eligible for penalty-free late passes. For term projects, each day late (even by one minute past the deadline) will result in a full letter grade deduction.

Disability Accommodations: Students requiring accommodations should contact the Disability Resource Center and notify the instructor.