Threat Modeling for Medical Devices

Oct 21, 2024 | News |

Threat Modeling for Medical DevicesYou’ve just realized that your medical device has a connection to the outside world and meets the definition of a cyber device per FDA guidance “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act.”  As the initial shock wears off, you realize you have no idea how to go threat modeling and think, “Can’t I just do an FMEA?”

Nope – an FMEA is a hazard analysis tool to help designers determine trade-offs between design or process features and safety.  Threat modeling is an ongoing process for thinking through potential impacts arising from threat actors attacking vulnerabilities in a system.  Threat modeling is the first step towards developing a cybersecurity risk assessment.

The easiest way to begin is to use Adam Shostack’s Four Question Framework for threat modeling:

  • What are we working on?
  • What can go wrong?
  • What are we going to do about it?
  • Did we do a good job?

Think of building a home.  You want your home to be a safe and secure location to store possessions, house people, and enjoy life.  Depending on your resources and needs, a home could be a lean-to, a house or a castle.

Q: What are we working on?

A: A safe and secure house (we can afford a house but not a castle)

Now decide what could go wrong.  You choose a location in part based on what could go wrong, and you design and build the house to minimize opportunities for things to go wrong.

Q: What could go wrong?

A: There could be a flood.

A: Animals might enter the yard.

A: People might enter the house.

You have just identified threats (water damage, unwanted visitors) and threat actors (Mother Nature, other people).  Based on what could go wrong, you decide what to do about it.

Q: What are we going to do?

A: Let’s build on a hill with good drainage.

A: Let’s build a fence around sensitive areas.

A: Let’s reduce the number of windows and put locks on the doors and windows.

You have mitigated threats of flooding by elevating the building foundation; threats of animal ingress by fencing in the yard where your children will play; and threats of burglary by adding locks to points of ingress.  You eliminated some threats (reduced your attack surface) by eliminating some of the windows.  You also plan to purchase an insurance policy for the house and the property inside (you are transferring some risk to the insurance company).  You decide this is an acceptable level of threat mitigation and build the house.

Finally, before you move into your new house, you ask:

Q: Did we do a good job?

A: You decide to have the job inspected to ensure it meets specifications and building standards.

You decide against paying someone to break into your house because that would just be weird.  After all, it’s not a medical device in need of a penetration test.

This is obviously an over-simplified analogy that should not be used as a road map for designing and building a house – or a medical device.  But hopefully it helps you think about threat modeling as an exercise in which your entire team can participate – and with useful results.  As the team matures, additional approaches like STRIDE can be applied, including to the output of the Four Question Framework.

To further explore threat modeling and learn about other tools that can be applied to your Software in a Medical Device or Software as a Medical Device, contact MEDIcept at sales@medicept.com.

References

The Ultimate Beginner’s Guide to Threat Modeling.  Adam Shostack, https://shostack.org/resources/threat-modeling

Playbook for Threat Modeling Medical Devices.  The MITRE Corporation, https://www.mitre.org/sites/default/files/2021-11/Playbook-for-Threat-Modeling-Medical-Devices.pdf.

Gregg Van Citters – Senior Software Quality Engineer