Skip to main content
close search
site logo
Dive Brief

Cyber playbook sets out strategies for modeling threats to medical devices

Published Dec. 1, 2021
By
Contributor
A single opened padlock glows red among rows of closed blue padlocks.
JuSun via Getty Images

Dive Brief:

  • MITRE and the Medical Device Innovation Consortium have published a playbook for threat modeling medical devices to strengthen cybersecurity and safety.
  • The FDA-backed guide is designed to help companies develop practices for recognizing and responding to cyber threats to their medical devices. MITRE and MDIC envision companies using the playbook as a basis for training and educating stakeholders on threat modeling.
  • FDA provided funding for the development of the playbook as part of its push to encourage the medtech industry to adopt threat modeling throughout the medical device lifecycle. The problem is that companies are often falling short when it comes to appropriate threat modeling and premarket testing needed to assess the adequacy of device security, according to agency officials.

Dive Insight:

The playbook arrives against a backdrop of calls from FDA for the medtech industry to step up threat modeling. At least two CDRH officials, Suzanne Schwartz and Kevin Fu, have spoken publicly in recent months about the need for medtech companies to establish better threat models. The playbook and the threat modeling bootcamps that preceded it are part of FDA's effort to help the industry rise to the challenge.

"Threat modeling has become a recognized cybersecurity best practice, both generally and in the medical device subsector specifically. However, threat modeling is complex, and involves a specialized set of knowledge and expertise," FDA said in announcing the release of the playbook.

Schwartz, director of CDRH's Office of Strategic Partnerships and Technology Innovation, told MedTech Dive in August that there has been "a real type of gap in terms of [medtechs] understanding what kinds of questions are appropriate to ask" in putting together sound threat models to avoid current cybersecurity vulnerabilities.   

Threat modeling boils down to asking four questions: What are we working on? What can go wrong? What are we going to do about it? Did we do a good enough job? Working through those questions can reveal cybersecurity weaknesses and inform design, development, testing and post-deployment decisions.

The playbook discusses methodologies medtech companies can use, either alone or in combination, to answer the questions at the heart of the threat modeling process. MITRE, a not-for-profit active in areas including cyber resilience, and MDIC opted against taking a prescriptive approach to threat modeling in the playbook, choosing instead to outline the values and principles that companies can use to develop their own practices.

Those values and principles are conveyed in a fictional example that forms the centerpiece of the playbook. In the section, MITRE and MDIC walk through possible approaches to the four key threat modeling questions using the example of an ankle monitor designed to predict a patient’s stroke risk.

The example provides a detailed overview of the device and associated infrastructure, explaining that it uses Bluetooth to share data with Apple and Android apps and ultimately with a cloud service. After establishing all the features and workflows, the playbook takes a deep dive into answering the four questions, covering topics such as the creation of data flow diagrams and the range of ways of identifying threats.

After discussing ways to answer the four questions, MITRE and MDIC provide an overview of the considerations for implementing threat modeling and then end the playbook with two more fictional examples, both of which also describe stroke devices. 

Editors' picks

Company Announcements

View all | Post a press release
SYNDEO Medical Announces European MDR Approval for Two Product Brands
From SYNDEO Medical
November 06, 2024
Echosens Launches its Liver Health Management (LHM) Platform Globally, Streamlining Liver Care
From Echosens
November 04, 2024
Lunit Shows Promise of AI in Predicting Immunotherapy Response for Rare Cancer Patients at SIT…
From Lunit
November 10, 2024
Arsenal Medical Launches EMBO-02 Study for NeoCast™ to Assess Treatment of Chronic Subdural He…
From Arsenal Medical
November 14, 2024
Editors' picks
Latest in Digital Health
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell