This article introduces the risk-oriented medical cybersecurity. We start with a combined security and safety life-cycle for medical products and services, built upon Medical SPICE. Starting with a connected TARA (threat and Risk Analysis) and HARA (Hazard and Risk analysis) we converge to security requirements to harden safety requirements, and thus provide best practices on security engineering. With verification and validation, we investigate static code analysis but also towards specific testing such as fuzzing and penetration testing for medical devices. We show hands-on examples on basis of the COMPASS SecurityCheck and directly connected grey-box PenTesting. The presentation provides hands-on examples and introduces to a hands-on TARA and related PenTest activity.