The message from the CDRH’s Suzanne Schwartz at this year’s HIMMS21 conference as reported by MedTech Dive was straight to the point. If medical device manufacturers want to keep up with the growing cybersecurity threats, they need to prioritize threat modeling. Period.
And if that isn’t convincing enough, consider that Schwartz’s statement comes on the heels of a recent discussion by the FDA’s acting director for medical device cybersecurity, Kevin Fu in a podcast interview with GovInfoSecurity.com. In that conversation Fu made it clear that medical device manufacturers need to start being proactive instead of reactive when it comes to cybersecurity.
He explained that a consistent practice of better, more scientific threat modeling pre-market will lead to more secure products post-market. Otherwise, he says, we’re just throwing technology at it rather than addressing a particular risk.
What is threat modeling?
Nobody wants to find themselves in a compromised situation and two situations are rarely going to have identical risks and solutions. It’s always best to know your specific risk and then be able to make strategic decisions that will protect you against an imminent — and likely — threat.
On a very basic level, even in your home you likely do a version of threat modeling. If you have a home alarm system, the company probably came in, looked around your house and determined the risk of a break and where it’s most likely to come from. They probably first put sensors on downstairs windows and doors, assuming that’s a potential and likely threat, and then considered the risks of other areas like upstairs windows or a garage or may be an attic or it’s possible they considered something totally different from a human break-in. What about other threats, like fire or wild animals? All things that need to be considered and weighed so that you can then decide what the right action is for your unique risks, needs and budget.
Consider threat modeling the analysis of your home by the alarm company when they identify the threats that are likely to happen, what form they will likely take, how to defend against them and how much defense is even necessary.
During the pre-market, a threat model can help you make strategic decisions for the best way to move forward for the safety of your device and approval of it.
Threat modeling is also an important step in market approval for a medical device. Regulatory bodies like the Food and Drug Administration (FDA) or other pre-market reviewers view a threat model as you doing your part to prove you understand the cyber risks and are taking the necessary steps to defend against them.
When to conduct threat modeling
As mentioned above, the timing of threat modeling is important.
Just as you wouldn’t lay the foundation of a building and then worry about making sure the design meets safety code, threat modeling should be done in the design phase so that it’s baked into the software from the start. The importance of this can’t be overstated and it’s the reason why both the U.S. and EU governing bodies are paying an increasing amount of attention to it.
It’s also important to remember though, that threat modeling doesn’t stop when the device is built. Over the lifecycle of the product, regularly updating the threat model should be done to account for any changes in the threat landscape.
Why the focus on threat modeling now?
From the increased reliance on remote patient monitoring as a result of COVID-19, attacks on healthcare systems, the rise in numbers of Software as a Medical Device (SaMD) and Software in a Medical Device (SiMD) coming to market, and the new methods attackers are using as evidenced by the recent Kaseya attack, there’s little question about the growing threats of cyber attacks and the increasing sophistication of the attackers.
It would be great if Medical Device Manufacturers (MDMs) could simply stipulate that a requirement for their device is that it operates in a secure environment, but the reality is that this is next to impossible. As the ecosphere of connected devices expands, once disparate organizations become interconnected, and secure walls within, for example, hospital networks disappear, all networks should be considered inherently hostile. That means every device needs to have safety measures in place in order to protect the entire community.
The FDA’s 2018 draft guidance outlined what medical device manufacturers needed to consider in the design and development of their products to assure their security, including threat modeling. But with these increased threats, come increased attention from the FDA and other governing bodies.
Schwartz says the FDA “… will be looking for much more detailed and comprehensive threat modeling as part of the clearance or approval process for medical devices,” part of which is likely to include consideration of risks across the entire supply chain and the environment.
Although she goes on to point out that while they will be looking for detailed threat modeling as part of the clearance or approval process, they are not planning to be prescriptive with how a manufacturer should perform threat modeling.
What MDMs need to know
Threat modeling can add clarity around where the risks and vulnerabilities exist which then make it possible to define a solution as part of the design and architecture. Otherwise, it’s simply a guessing game at how to solve for a presumed problem which is far too risky when we’re talking about cybersecurity.
In the words of Kevin Fu, “It’s time to get away from gut judgement assessment and move towards verifiable security design control.”
At Irdeto, we believe, like the FDA and other governing bodies, that secure design control begins with threat modeling.
If you have any questions or would like to discuss connected health cybersecurity, please get in touch with Irdeto’s Connected Health team to learn more.