- MITRE and the Medical Device Innovation Consortium have published a playbook for threat modeling medical devices to strengthen cybersecurity and safety.
- The FDA-backed guide is designed to help companies develop practices for recognizing and responding to cyber threats to their medical devices. MITRE and MDIC envision companies using the playbook as a basis for training and educating stakeholders on threat modeling.
- FDA provided funding for the development of the playbook as part of its push to encourage the medtech industry to adopt threat modeling throughout the medical device lifecycle. The problem is that companies are often falling short when it comes to appropriate threat modeling and premarket testing needed to assess the adequacy of device security, according to agency officials.
The playbook arrives against a backdrop of calls from FDA for the medtech industry to step up threat modeling. At least two CDRH officials, Suzanne Schwartz and Kevin Fu, have spoken publicly in recent months about the need for medtech companies to establish better threat models. The playbook and the threat modeling bootcamps that preceded it are part of FDA's effort to help the industry rise to the challenge.
"Threat modeling has become a recognized cybersecurity best practice, both generally and in the medical device subsector specifically. However, threat modeling is complex, and involves a specialized set of knowledge and expertise," FDA said in announcing the release of the playbook.
Schwartz, director of CDRH's Office of Strategic Partnerships and Technology Innovation, told MedTech Dive in August that there has been "a real type of gap in terms of [medtechs] understanding what kinds of questions are appropriate to ask" in putting together sound threat models to avoid current cybersecurity vulnerabilities.
Threat modeling boils down to asking four questions: What are we working on? What can go wrong? What are we going to do about it? Did we do a good enough job? Working through those questions can reveal cybersecurity weaknesses and inform design, development, testing and post-deployment decisions.
The playbook discusses methodologies medtech companies can use, either alone or in combination, to answer the questions at the heart of the threat modeling process. MITRE, a not-for-profit active in areas including cyber resilience, and MDIC opted against taking a prescriptive approach to threat modeling in the playbook, choosing instead to outline the values and principles that companies can use to develop their own practices.
Those values and principles are conveyed in a fictional example that forms the centerpiece of the playbook. In the section, MITRE and MDIC walk through possible approaches to the four key threat modeling questions using the example of an ankle monitor designed to predict a patient’s stroke risk.
The example provides a detailed overview of the device and associated infrastructure, explaining that it uses Bluetooth to share data with Apple and Android apps and ultimately with a cloud service. After establishing all the features and workflows, the playbook takes a deep dive into answering the four questions, covering topics such as the creation of data flow diagrams and the range of ways of identifying threats.
After discussing ways to answer the four questions, MITRE and MDIC provide an overview of the considerations for implementing threat modeling and then end the playbook with two more fictional examples, both of which also describe stroke devices.