With cybersecurity increasingly becoming a focus of regulatory concern, both medical device manufacturers and regulators are facing another challenge: how to establish, and also demonstrate, that the devices are also secure. This paper outlines an approach to constructing assurance cases to capture assumptions about the attacker by 1) identifying the hazards of interest to attacker; 2) identifying attack surfaces; 3) enumerating vulnerabilities and attack scenarios; and 4) ranking attack scenarios on the basis of a risk model. Introducing the security considerations early in the design cycle, we can better integrate security with existing engineering processes to yield documents that both improve the engineering processes and are acceptable for regulatory oversight.