The rapid growth and anticipated future expansion of medical devices in healthcare bring with it an increase in cyber security risks. Current cyber security risk assessment methods use frameworks that are not frequently updated and are not specific to the healthcare sector. This study explored the feasibility of using MITRE ATT&CK in conjunction with the Manufacturer Disclosure Statement for Medical Device Security (MDS2) to evaluate the cyber risks of medical devices. MDS2 provides information about the security status of medical devices. Vulnerabilities identified by using MDS2 data were compared with the vulnerabilities identified by interrogating the CVE database. The threat intelligence information that can be generated via the use of MITRE ATT&CK can be customized to the field of healthcare. Relevant threats identified by the use of ATT&CK were compared with general threats identified via the STRIDE model. CVSS was used to calculate vulnerability severity scores. Patient safety was addressed by the using the optional safety metric in CVSS 4.0. Lastly, risk scores were generated. The results of this research showed that this new method is an improvement over the previously published approaches. This new methodology has built-in mechanisms to keep it up to date when new cyber threat intelligence and new device security information is published. The incorporation of the safety metric highlighted vulnerabilities that would be of higher priority in a healthcare enterprise. This methodology will, therefore, help healthcare security teams meet the need to identify threats to the healthcare organization and to the organization’s patients.