Michael Rushanan, Armatyr
Medical device security differs from traditional security in one important way: when it fails, patient safety can be at risk. Regulators around the world have responded with policies, requirements, and frameworks intended to drive secure-by-design development. However, regulatory frameworks rely heavily on manufacturer risk assessments. As a result, the quality of the underlying security reasoning becomes critical.
This talk presents real-world case studies of security decisions shaped by familiar justifications, including "competitors are doing less," "previous products shipped without incident," and "physical access makes security irrelevant." These decisions result in flawed risk management, weak cryptographic designs, and avoidable vulnerabilities. To illustrate how these decisions emerge in practice, each case study describes the technical issue, stakeholder dynamics, and outcome. It also discusses penetration-testing findings, regulatory feedback, and practical remediation approaches.
Dr. Michael Rushanan is a medical device cybersecurity researcher, consultant, and educator with more than two decades of experience in security engineering, risk management, and applied cryptography. He is the Co-Founder of Armatyr and previously spent 11 years as Chief Scientist at Harbor Labs, helping manufacturers build and evaluate the security of medical devices. Dr. Rushanan is also a Fellow at Harbor Experts and a Lecturer in Computer Science at Johns Hopkins University. He teaches Medical Device Cybersecurity (MDC), a course he designed to address the need for applied education in the field. Dr. Rushanan also directs federal cybersecurity efforts for the U.S. FDA, HHS, and DOJ, and has provided expert testimony on the security of health and medical systems.
