IoMT Risk Education Platform — v3.0

Digital
First
Responder
Lab

Where connected medical systems and AI actually fail — not in theory, but in the moment when the decision still has to be made. Built from 28 years of clinical reality and lived device dependency.

9
Failure Scenarios
0
Hypothetical Cases
28+
Years Clinical Experience
6+
Frameworks Mapped
Health Technology Education — Student Edition

Can You
Keep the
Patient
Safe?

Hospitals and homes are full of connected devices that keep people alive. What happens when those devices fail — or get hacked? Explore real scenarios and make real decisions.

3
Real Scenarios to Explore
4
Choices Per Scenario
Things to Learn
Scroll to explore
Core Philosophy

Welcome, Future Health Tech Defenders 👋

This lab was built by Ms. Chaunda — a real healthcare cybersecurity consultant who spent 28 years working in emergency rooms, and who also depends on connected medical devices every single day to stay healthy. The scenarios you're about to explore are REAL situations. Your job is to think like both a clinician and a security analyst. Are you ready?

At 2am in the ER, I'm not waiting on a dashboard. Healthcare doesn't pause for data validation. Our security frameworks need to stop assuming it does.

Imagine you're a nurse at 2am. A patient needs help right now. You don't have time to wait for a computer to tell you what to do. You have to make a decision in seconds. That's why health technology security matters — people's lives depend on it working correctly.

Most healthcare cybersecurity focuses on protecting data. This lab focuses on what happens when the technology keeping a person alive fails — in real time, under real conditions, with real consequences that no framework fully accounts for.

I teach it. I live it. I build it. I'm learning how attackers see it — so I can defend it better than anyone who only knows one side. This is how I protect my patients. My devices. Myself.

First — What Are Connected Medical Devices?

🫁
Oxygen Concentrators
Machines that pull oxygen from the air and deliver it to patients who can't breathe well on their own. Some connect to WiFi so doctors can check on them remotely.
💉
Infusion Pumps
Devices that deliver medication directly into a patient's bloodstream at a precise rate. Many are now connected to hospital networks — which means they can be hacked.
🧠
AI Decision Systems
Computer programs that help doctors and nurses make decisions by analyzing patient data. But what happens when the AI gets it wrong?
Wearable Monitors
Smartwatches and fitness trackers that measure heart rate, oxygen levels, and sleep. Some hospitals use this data to make medical decisions.
😴
CPAP Machines
Devices that help people breathe while they sleep. Modern CPAPs connect to the internet and can receive software updates remotely — just like your phone.
🏥
Hospital Networks
All of these devices connect to hospital WiFi networks. If a hacker gets into the network, they could potentially reach every connected device in the building.
Failure Scenarios Real-World Scenarios — Click to Explore
01 / SCENARIO
Silent Battery Failure
Portable O₂ Concentrator
Critical

Battery indicator reports full charge. Device loses power within minutes. No backup source. Power infrastructure unstable.

A machine that helps someone breathe says its battery is full — but it's not. When the power goes out, the machine stops working after less than 3 minutes. The person has no backup. What should happen? What went wrong?

🫁 About This Device

A portable oxygen concentrator is a machine about the size of a small backpack that pulls oxygen from the air and delivers it through a tube to someone who needs help breathing. People with lung conditions like pulmonary hypertension (PAH) depend on these 24/7. The device this scenario is based on? It's real — and it belongs to the person who built this lab.

What Went Wrong — Step by Step

1
False state reporting. Battery shows full. Actual runtime: 2–3 minutes.
The battery lied. It said it was full, but it was actually almost dead. The device had no way to warn the patient.
2
No verification protocol. Patient trusts the indicator. No alert threshold configured.
There was no system to double-check the battery or send an alert. The patient had to trust what the screen said.
3
Power outage occurs. Grid failure. AC disconnected.
A storm knocked out the electricity. The device switched to battery — which only lasted about 2 minutes.
4
No backup exists. No second device. No escalation path.
There was no backup oxygen tank and no second device. The patient was completely without oxygen.
5
Oxygen deprivation begins silently. PAH + hypoxia. Cascading failure.
Without oxygen, the patient's condition got worse quickly — and because it happened at night, no one knew right away.

Framework Gaps

NIST 800-53 SI-13 NIST AI RMF MANAGE 2.2 HIPAA §164.310(a)(2)(i) FDA 21 CFR Part 820 IEC 62443-4-2 CR 3.1 Home Care Redundancy Gap

Think About It

If this were a smartphone, we'd expect a low battery warning at 20%, 10%, and 5%. Why don't life-critical medical devices have the same protections? This is a design problem — and it's something the healthcare technology industry needs to fix.

What Should Exist

Real-time battery health telemetry with verified discharge testing. Mandatory backup protocols for single-source oxygen-dependent patients. Infrastructure dependency mapping for high-risk home medical devices. Emergency registry enrollment at local utility and fire department level.

The device should send a real warning when battery health is low — not just show a number. Patients who depend on oxygen 24/7 should always have a backup plan. Local fire departments should know which homes have oxygen-dependent patients so they can help during power outages. These are simple fixes that could save lives.

Expanded Resource — Coming Soon
The Secondary Failure Chain: Access, Equity & Power Resilience — how insurance gaps, financial friction, and infrastructure dependency compound device failure risk for home-dependent patients.
02 / SCENARIO
AI Triage Override
Emergency Department
Critical

AI triage scores patient low acuity. Clinician overrides based on observation. System flags the override as anomalous.

A computer program says a patient isn't very sick. But the nurse can see with her own eyes that something is wrong. She overrides the computer — and turns out to be right. But then the computer marks her decision as a mistake. Who was actually wrong?

🧠 About AI Triage Systems

Hospitals use AI programs to help decide which patients need care the fastest. The AI reads information from computers — like test results and symptoms typed in. But it can't see what a trained nurse sees: the color of someone's skin, how hard they're working to breathe, or whether they look scared. That's called clinical intuition — and it takes years to develop.

What Went Wrong — Step by Step

1
Model scores low risk. Misses nonverbal cues: skin color, work of breathing, diaphoresis.
The AI said the patient was fine — but it couldn't see that the patient was pale, sweating, and struggling to breathe. Those aren't things you can type into a computer.
2
Clinician escalates immediately. Patient is actually critical.
The nurse trusted what she saw with her own eyes and got the patient help right away. The patient was actually very sick.
3
System flags override as deviation. Algorithm treats expert judgment as error.
The computer marked the nurse's decision as a "mistake" — even though she was right and the computer was wrong.
4
Override used for retraining. Model learns wrong lesson.
The computer used the nurse's correct decision to "learn" — but it learned the wrong lesson, making it worse at catching sick patients in the future.

Framework Gaps

NIST AI RMF GOVERN 1.1 NIST AI RMF MAP 3.5 FDA AI/ML Action Plan ONC HTI-1 Rule Human Oversight Gap

Big Question

Should a computer ever be able to overrule a trained medical professional? What should the relationship between AI and human experts look like in healthcare? There's no perfect answer — but it's one of the most important questions in health technology right now.

What Should Exist

Override logging that distinguishes expert judgment from error. Model retraining governance requiring human review. Mandatory human-in-the-loop thresholds for high-acuity clinical AI. Regular red-team exercises against experienced clinician baseline.

The computer should recognize when an experienced nurse overrides its decision and treat that as valuable information — not a mistake. AI in healthcare should always support human experts, never replace them. A nurse's eyes and instincts are data too.

03 / SCENARIO
Infusion Pump
Network Compromise
High

Networked pump receives unauthorized parameter update during active medication delivery. Nurse managing four other patients simultaneously.

A hacker gets into the hospital's network and changes the settings on a machine that's giving a patient medicine. The nurse is too busy to notice right away. This is how a cyberattack can directly hurt a patient.

💉 About Infusion Pumps

An infusion pump delivers medicine directly into a patient's bloodstream at a very precise rate — sometimes drop by drop. Getting the rate wrong by even a small amount can be dangerous. Modern pumps connect to hospital networks so nurses can update medication settings from a central station. That convenience also creates a security risk.

What Went Wrong — Step by Step

1
Pump on clinical network. Update mechanism lacks authentication. Lateral movement from prior breach.
The pump was connected to the hospital's network, but there was no good security checking who was allowed to change its settings.
2
Unauthorized parameter pushed. Change within acceptable range. No alarm fires.
A hacker changed how fast the medicine was being delivered. The change was small enough that the alarm didn't go off.
3
Nurse managing four patients. Visual check interval 20+ minutes.
The nurse was taking care of four other patients at the same time. She couldn't check on this patient for over 20 minutes.
4
Wrong dose delivered over time. Subtle deterioration.
By the time anyone noticed, the patient had been getting the wrong amount of medicine for a long time.

Framework Gaps

NIST 800-82 Rev 3 FDA Cyber Guidance 2023 HIPAA §164.312(b) IEC 80001-1 Network Segmentation Gap

Connect the Dots

This is why cybersecurity in healthcare isn't just about protecting private information — it's about protecting people's lives. A hacker who gets into a hospital network isn't just stealing data. They could potentially change how medicine is delivered to patients. That's why health technology security is one of the most important fields you could choose as a career.

What Should Exist

Mutual TLS authentication for all pump updates. Real-time anomaly detection on rate changes. Clinical workflow-aware alerting. Mandatory FDA MedWatch reporting integration.

The pump should require a verified password or key before anyone — or any computer — can change its settings. Any change should immediately alert the nurse at the bedside, not just log it somewhere. Medical devices connected to networks should be treated like the life-critical systems they are.

04 / SCENARIO
OSINT Recon on
Hospital Infrastructure
High

Before attackers touch a network, they watch it. What they find in 30 minutes would surprise most security teams.

In Development
05 / SCENARIO
Wearable Data Spoofing
Athlete & Patient Dual Perspective
High

Your Apple Watch says you're fine. The clinical system believes it. The coach clears you to play. You are not fine. Two perspectives — the clinician receiving spoofed data, and the patient whose data is being manipulated — same failure, different stakes.

Smartwatches and fitness trackers measure your heart rate, oxygen levels, and activity. But what if someone could fake that data? What if your watch said your heart rate was normal when it wasn't? What decisions would get made based on wrong information?

⌚ About Wearable Health Devices

Consumer wearables like the Apple Watch now include medical-grade sensors — ECG, blood oxygen (SpO2), heart rate variability, fall detection, and irregular rhythm notifications. These devices are increasingly used in clinical decision-making, athlete performance monitoring, remote patient monitoring programs, and insurance wellness programs. The data they generate is trusted. That trust is the attack surface.

Failure Chain — Perspective 1: The Clinician

1
Patient enrolled in remote monitoring program. Apple Watch syncs health data to EHR via HealthKit integration. Clinician reviews wearable data between appointments.
The patient wears their Apple Watch every day and it automatically sends health data to their doctor. The doctor uses this data to make decisions about their care.
2
Data transmission intercepted or application layer compromised. Spoofed biometric values injected — falsely normal heart rate, falsely normal SpO2. Clinician receives clean data.
An attacker intercepts the data being sent and replaces it with fake normal numbers. The doctor receives data that looks perfectly healthy.
3
Clinical decision made on false baseline. Medication dosage adjusted downward based on "improving" data. Follow-up appointment deferred. Warning signs masked.
Based on the fake data, the doctor decides the patient is doing better. They reduce medication and push back the next appointment. But the patient hasn't actually improved.
4
Patient deteriorates without clinical awareness. Real condition worsening. No alert fires. Next appointment is 6 weeks out. Emergency presentation follows.
The patient keeps getting worse. But the doctor doesn't know because the data looks fine. Six weeks later, the patient ends up in the emergency room.

Failure Chain — Perspective 2: The Athlete

1
Elite athlete uses wearable for performance and health monitoring. Data feeds team health management system. Clearance decisions based on biometric thresholds.
A college or professional athlete wears a health tracker. Their coach and team doctor use the data to decide if they're healthy enough to play.
2
Wearable data spoofed to show false fitness. Heart rate variability artificially elevated. Recovery metrics falsified. System clears athlete for full competition.
The wearable data is manipulated to make it look like the athlete is fully recovered. The system automatically clears them to compete — even though they're not ready.
3
Athlete competes while physiologically compromised. Underlying cardiac stress undetected. Performance system sees no red flags. No human override occurs.
The athlete plays while their body isn't ready. No alarm goes off. No one stops them. The technology said they were fine.
4
Cardiac event during competition. Sudden cardiac arrest during high-intensity performance. Spoofed data masked the warning signs that should have kept this athlete off the field.
The athlete collapses during the game. The data that should have protected them was manipulated. Technology that was supposed to save lives contributed to the harm.

Framework Gaps

FDA Digital Health Policy (Consumer Wearables) NIST AI RMF MAP 3.5 HIPAA §164.312 (Transmission Security) No Wearable Data Integrity Standard HealthKit API Security Gap Sports Medicine Technology Gap Consumer Device → Clinical Use Boundary Gap

What Should Exist

Data integrity verification at every point in the wearable-to-EHR pipeline — not just transmission encryption, but authenticity verification of the data itself. Clear regulatory boundaries on when consumer wearable data can be used for clinical decision-making. Anomaly detection that compares wearable data against in-person vitals to flag statistical improbability. Sports medicine protocols that require human clinical confirmation before automated clearance decisions. The gap between consumer wellness device and clinical medical device is where attackers live — and no current framework addresses it adequately.

Any data used to make medical decisions needs to be verified as real — not just transmitted securely, but confirmed as authentic. A doctor or athletic trainer should never rely solely on wearable data without a human check. Consumer devices like Apple Watches are not regulated as medical devices — but they're increasingly used to make medical decisions. That gap needs to be closed. This is a career opportunity for the next generation of health technology professionals.

06 / SCENARIO
Ransomware in the ER
The 2am Decision
Critical

The EHR is locked. The patient is crashing. 90 seconds. No medication history. This is not a drill.

In Development
07 / SCENARIO
CPAP Firmware Vulnerability
ResMed AirSense 11
Critical

Connected to the internet. Receives automatic firmware updates via the myAir remote monitoring platform. Documented CVEs exist on this exact device. The patient depending on it is also the analyst who built this lab.

A CPAP machine that helps someone breathe at night connects to the internet to send sleep data to doctors. But that same connection can also receive software updates — and if an attacker gets into that channel, they could change how the device works while the patient is asleep.

😴 About This Device

The ResMed AirSense 11 AutoSet is a CPAP machine that connects to ResMed's myAir cloud platform via cellular or WiFi. It transmits nightly sleep therapy data and can receive remote configuration changes from clinicians. It also receives automatic firmware updates. This scenario is built from the actual device used by the person who created this lab — and from documented vulnerability research on the ResMed connected device ecosystem.

Failure Chain

1
Device connected to myAir cloud platform. Cellular modem embedded in device. Remote monitoring active. Automatic firmware update channel open.
The CPAP connects to the internet every night to send sleep data. That same connection can receive updates — like a phone getting a software update while you sleep.
2
Firmware update channel lacks robust authentication. Documented CVEs on ResMed connected device ecosystem. Update accepted without patient notification or consent.
Researchers have found security weaknesses in how ResMed devices accept updates. An attacker who exploits this could push a fake update — and the device would accept it silently.
3
Malicious firmware pushed during sleep window. Patient asleep. No awareness. Device behavior altered silently — pressure settings, therapy modes, or alarm thresholds.
The attack happens at 2am while the patient is asleep. The device quietly changes how it works. No alarm. No notification. The patient has no idea.
4
Therapy degraded without clinical detection. myAir data still transmits. Clinician sees normal-looking data. Patient experiences poor sleep, oxygen desaturation, or untreated apnea events.
The sleep data being sent to the doctor looks normal — but the therapy the patient is actually receiving has changed. The doctor has no idea anything is wrong.
5
PAH patient with compromised nightly therapy. For a pulmonary hypertension patient, degraded CPAP therapy during sleep directly impacts cardiovascular strain, oxygen saturation, and daytime function.
For someone with a serious lung condition like pulmonary hypertension, even one night of wrong therapy can cause real health consequences the next day — and over time, the damage adds up.

Framework Gaps

FDA Cybersecurity Guidance 2023 IEC 62443-4-2 CR 3.4 NIST 800-53 SI-7 (Software Integrity) NIST 800-53 SA-10 (Developer Config Mgmt) HIPAA §164.312(a)(2)(iv) No Patient Consent Standard for Remote Updates Home Device Monitoring Gap

The Personal Connection

The person who built this lab uses a ResMed AirSense 11 every night. She also has a condition called pulmonary hypertension that makes breathing more difficult. This scenario isn't theoretical — it's personal. That's what makes healthcare cybersecurity different from any other type of security work.

What Should Exist

Mandatory patient notification and consent before any remote firmware update on a home medical device. Cryptographic code signing with independent verification before update acceptance. Anomaly detection on therapy parameter changes post-update. FDA-mandated Software Bill of Materials (SBOM) for all connected home medical devices. Patient-accessible audit log of all remote device interactions. These protections do not currently exist as enforceable standards for home CPAP devices.

Before any medical device gets a software update while a patient is using it, the patient should be notified and should agree to the update — just like how your phone asks you before installing updates. The update should be verified as coming from the real manufacturer. And any changes to how the device works should be flagged to the patient's doctor immediately.

08 / SCENARIO
Dementia Home Health
Technology Failure Chain
Critical

A cognitively impaired patient living at home relies on a connected ecosystem of smart sensors, GPS tracking, automated medication dispensers, and telehealth platforms. Each device is a lifeline. Each connection is a potential failure point. The patient cannot self-advocate when the system fails.

As health technology improves, more people with memory conditions like Alzheimer's and dementia can live at home longer — with the help of connected devices. But what happens when those devices fail, get hacked, or just stop working? The patient often can't tell anyone something is wrong.

🧠 The Connected Dementia Care Ecosystem

According to the 2025 WHO report on dementia and digital health, AI-powered diagnostic tools, smart home monitoring sensors, GPS tracking devices, telehealth platforms, cognitive aid applications, automated medication dispensers, and robotic companion devices are now core components of modern dementia home care. These technologies reduce caregiver burnout, lower emergency visits, and allow patients to live safely at home longer. They are also almost entirely unsecured from a cybersecurity standpoint.

Failure Chain

1
Ecosystem dependency established. Smart home sensors monitor movement and activity. GPS tracker provides location. Automated dispenser manages medications. Telehealth platform connects to specialists remotely. All connected. All networked. None secured.
The patient's whole safety system runs on connected devices. Smart sensors detect if they've fallen. GPS shows where they are. A machine gives them their medications at the right time. A tablet connects them to their doctor. All of it runs on WiFi.
2
Single network compromise cascades across all devices. Home router exploited. Attacker gains access to entire connected care ecosystem. Sensor data manipulated. Medication dispenser schedule altered. GPS location data spoofed.
If a hacker gets into the home WiFi network, they can reach every device at once. They could make the sensors say the patient is fine when they're not. They could change the medication schedule. They could make the GPS show the wrong location.
3
Patient cannot self-report the failure. Short-term memory impairment means the patient cannot recognize, remember, or communicate that devices are behaving abnormally. No self-advocacy. No internal alarm system.
Unlike most patients, someone with dementia may not realize something is wrong — or may forget to tell someone even if they do notice. They can't be their own backup system.
4
Remote caregiver receives false normal data. Family member or remote care coordinator sees clean dashboards. No alerts. No anomalies. No reason to intervene. Patient is in danger with no visible signal.
The family members checking in remotely see everything looks fine — because the devices are showing false data. They have no reason to worry. But the patient may be in danger.
5
Delayed detection. Preventable harm. Fall not detected. Medication missed or doubled. Wandering event not caught. Telehealth appointment missed. Every failure compounds. Every hour of delay increases risk of irreversible harm.
By the time someone realizes something is wrong, it may have been hours. A fall that wasn't detected. A medication that wasn't given — or was given twice. A patient who wandered and whose GPS said they were home.

Framework Gaps

FDA Digital Health Policy (Home Devices) NIST 800-53 SC-3 (Security Function Isolation) HIPAA §164.308 (Admin Safeguards) NIST AI RMF GOVERN 6.1 No Home IoMT Security Standard Caregiver Alert Integrity Gap WHO 2025 Digital Dementia Care Gap Vulnerable Population Protection Gap

Why This Matters

According to the WHO, over 55 million people worldwide live with dementia. As health technology allows more of them to live at home independently, the security of those technologies becomes a matter of life and safety. This is one of the most important unsolved problems in healthcare cybersecurity today — and almost nobody is working on it.

What Should Exist

A dedicated security framework for connected home care ecosystems serving cognitively impaired patients — distinct from hospital IoMT frameworks because the patient cannot self-advocate. Mandatory network segmentation between home care devices and general household WiFi. Caregiver alert integrity verification — dashboards must confirm data authenticity, not just data presence. AI anomaly detection trained specifically on dementia patient behavioral patterns. Regulatory classification of dementia home care technology ecosystems as life-critical infrastructure. The 2025 WHO report on digital dementia care identified telehealth and connected monitoring as transformative — but makes no mention of cybersecurity. That gap is the problem.

Home care devices for people with dementia need their own security rules — separate from hospital rules — because the patient can't tell anyone when something goes wrong. Family members and remote caregivers need to know when device data might not be trustworthy. And the companies building these devices need to design security in from the beginning, not add it later. Right now, very few people are working on this problem. That could be you.

09 / SCENARIO
CGM Signal Compromise
Dexcom G7
Critical

A compromised continuous glucose monitor transmits falsely normal readings. An endocrinologist makes an insulin dosing decision on manipulated data. The patient never knew the signal was wrong.

Coming Fall 2026
Decision Mode Your Turn — Make the Call

You Are The Responder.

What Would You Do?

Select a scenario — read the situation — make the call.

Read the situation carefully. Pick the best response. Learn from every answer.

0
Correct Decisions
Your Response
Healthcare Ransomware Intelligence

Healthcare Ransomware
Incident Tracker

Real incidents. Real patient impact. Real framework gaps. Ransomware attacks on hospitals are attacks on human life — not just data.

● LIVE INTELLIGENCE
Updated: May 19, 2026
⚠ 6 NEW BREACHES ADDED TODAY
Source: HHS OCR + SecurityWeek
Organization Date Attack Vector Patient Impact Recovery Framework Gap Severity
NOTE: All incidents sourced from public disclosures, HHS breach portal, and verified media reporting. This tracker is an educational resource. Every incident here represents patients whose care was disrupted. Ransomware attacks on healthcare organizations are attacks on human life.
Career Pathways Your Future in Health Technology

Careers That
Protect People

Healthcare cybersecurity is one of the fastest-growing and most underpopulated fields in security. These are the roles that sit at the intersection of clinical knowledge and technical skill — where the real work happens.

Did you know you can have a career that combines healthcare, technology, and protecting people — all at the same time? These are real jobs that real people do every day to keep hospitals safe and patients protected. Which one sounds like you?

🛡️
Healthcare Cybersecurity Analyst
$85K – $130K / year
Great paying career
Monitors hospital networks, investigates security incidents, and ensures medical devices and systems are protected from threats.
This person watches over hospital computer systems and devices to make sure hackers can't get in. They're like a security guard — but for technology.
Network Security HIPAA Incident Response IoMT
🏥
Clinical Informatics Specialist
$80K – $120K / year
Great paying career
Bridges clinical workflows and health IT systems. Ensures electronic health records and clinical technology work safely and effectively for patient care.
This person makes sure that computer systems in hospitals work well for doctors and nurses. They understand both medicine AND technology.
EHR Systems Clinical Workflows Health IT
🔬
Biomedical Technology Engineer
$75K – $115K / year
Great paying career
Manages and secures medical devices throughout a healthcare organization. Responsible for device inventory, vulnerability assessment, and lifecycle management.
This person takes care of all the medical devices in a hospital — making sure they work correctly, are safe, and can't be hacked.
Medical Devices FDA Compliance Vulnerability Mgmt
🤖
Healthcare AI Risk Analyst
$100K – $160K / year
One of the fastest growing careers
Evaluates AI systems used in clinical settings for bias, safety, and reliability. Ensures AI tools meet regulatory requirements and don't harm patients.
As hospitals use more AI to help doctors make decisions, someone needs to make sure those AI systems are fair, accurate, and safe. This is one of the newest and most exciting jobs in health technology.
NIST AI RMF AI Governance Clinical AI Risk Assessment
🚨
Digital First Responder
$120K – $200K+ / year
Elite career — combines clinical + cyber
The rarest role in healthcare security — someone who understands both clinical emergency response and cyber incident response. Built from experience on both sides of a crisis.
This is the rarest and most powerful combination in healthcare technology — someone who has worked in emergency medicine AND cybersecurity. They respond to both physical medical emergencies and cyber emergencies in hospitals.
Clinical Experience Incident Response IoMT Security Leadership
📚
Health Tech Educator
$60K – $95K / year
Incredibly rewarding career
Teaches the next generation of healthcare technology professionals. Bridges academic knowledge and real-world clinical and security experience.
This person teaches others — students like you — about health technology, cybersecurity, and how to protect patients. They make sure the next generation of health tech professionals is ready.
Curriculum Design Health IT Mentoring Communication

How Do You Get There From Here?

Right Now (Middle School)

Take health classes seriously. Learn basic coding (Scratch, Python). Explore biology and computer science. Ask questions about how technology works.

High School

AP Computer Science. Biology and health science courses. Cybersecurity clubs and competitions (CyberPatriot). Volunteer at hospitals or clinics to understand the environment.

College & Beyond

Health Informatics, Cybersecurity, or Biomedical Engineering degrees. Internships at hospitals or health tech companies. Certifications like CompTIA Security+ and HCISPP.

About This Lab

Built from
Lived
Reality.

This lab was created by Chaunda C. Dallas, MSIT — healthcare cybersecurity consultant, IoMT risk specialist, and clinical emergency medicine professional with 28+ years of direct patient care across ER, interventional radiology, hyperbarics, and pediatric care.

The scenarios here are not theoretical. They are built from the intersection of clinical expertise and daily device dependency — managing pulmonary hypertension on a portable oxygen concentrator, with a CPAP connected to the internet, and no insurance safety net.

Featured Defender in the Semperis documentary 'Midnight in the War Room' — premiering at Black Hat USA 2026.

Ms. Chaunda teaches health technology to middle school students, mentors 200+ women in cybersecurity through WiCyS, and will be featured in a documentary about hospital ransomware attacks at Black Hat USA 2026 — one of the biggest cybersecurity conferences in the world.

MS Information Technology / Cybersecurity — Kennesaw State University
Healthcare Cybersecurity Consultant | Chaunda C. Dallas LLC
CAGE: 18D81 | UEI: KV2BR8QU36J7 | SAM.gov Registered
WiCyS Technical Mentor — 3rd Consecutive Year (2026)
Featured on Halcyon 'Last Month in Security' Podcast
Featured Defender — Semperis 'Midnight in the War Room' | Black Hat USA 2026
Biohacking Village Volunteer | WiSP DEF CON Lead Liaison
Semperis HIP Conference — Nashville, TN | September 2026
chaunda@cyberaio.com | chaundacdallas.com
28+
Years Clinical Emergency Medicine
9
IoMT Failure Scenarios (v3.0)
200+
Women Mentored Through WiCyS
0
Hypothetical Scenarios — All Built from Reality
6+
Regulatory Frameworks Per Scenario
Key Resources Learn More
FDA Guidance
Cybersecurity in Medical Devices
FDA's 2023 guidance on cybersecurity requirements for medical device submissions. The baseline for IoMT security compliance.
The US government's rules for making sure medical devices are safe from hackers. Every device that connects to a network needs to follow these guidelines.
FDA.gov →
NIST Framework
AI Risk Management Framework
NIST AI RMF 1.0 — governance framework for trustworthy AI. Directly applicable to clinical AI decision support tools.
A framework that helps organizations make sure their AI systems are safe, fair, and trustworthy — especially important when AI is used in healthcare.
NIST AIRC →
HHS Resource
405(d) Cyber Performance Goals
HHS Healthcare Cybersecurity Performance Goals — the healthcare-specific security baseline from the federal government.
The US Department of Health and Human Services' guide to what every hospital should do to protect itself from cyberattacks.
405d.HHS.gov →
Threat Intelligence
HHS Breach Portal
Official HHS portal tracking healthcare data breaches affecting 500+ individuals. Primary source for incident intelligence.
A public database of every major healthcare data breach in the US. You can see which hospitals were attacked and how many patients were affected.
HHS OCR Portal →
For Students
CyberPatriot Program
National youth cyber education program. Entry point for students pursuing cybersecurity careers.
A national competition for middle and high school students to learn cybersecurity skills by defending virtual computer networks. This is a great way to start your cybersecurity journey.
CyberPatriot →
Community
Women in CyberSecurity (WiCyS)
Primary community for women in cybersecurity. Scholarships, mentoring, and career development resources.
An organization dedicated to bringing more women into cybersecurity careers. Offers scholarships, mentoring, and community for women at every stage of their journey.
WiCyS.org →