Threat modeling, in recent years, has come to take center stage in the world of cybersecurity across all industries, including healthcare. The Food and Drug Administration (FDA) has spent almost two years raising awareness on the topic, by sponsoring organizations like MITRE and MDIC to arrange bootcamps and publish a playbook on the implementation of threat modeling.
The Healthcare and Public Health Sector Coordinating Council (HSCC), the International Medical Device Regulators Forum (IMDRF), Association for the Advancement of Medical Instrumentation (AAMI) and the FDA all frequently contribute to cybersecurity documentation for medical devices. In each of their latest releases, there has been a focus on the importance of threat modeling in managing and responding to cyber threats.
In practice threat modeling remains a complex task to perform that is best carried out by cybersecurity experts. The recently published playbook however can certainly help Medical Device Manufacturers (MDMs) ramp-up their skills and perform it in a standardized way. Adopting and utilizing this playbook can be challenging for newer MDMs who may not have built solid expertise in the area just yet.
Let’s explore what these challenges are, what the current state is and what the right approach for small MDMs should be.
What are the top 3 threat modeling challenges for small MDMs?
Highly skilled human resources are limited
The key challenge for many MDMs in implementing threat modeling is the limited manpower. It is no secret that the shortage of cybersecurity talent is reaching critical levels, restricting the availability of skilled personnel.
Big corporations often have the resources to dedicate a team of cybersecurity experts to handle threat modeling for an extended timeframe. Hence, they have the ability to train new staff internally and expand this practice for each product line. Meanwhile, many smaller MDMs still struggle to find talent who have the necessary threat modeling experiences. This issue leads to no in-house teams being available, making it almost impossible to train internal personnel.
Hiring external consultants takes time to adapt
Several organizations rely fully on outsourcing as a solution to their limited manpower. By which, an external team of consultants is hired to perform threat modeling on the behalf of the business. Unfortunately, it still takes a substantial amount of time for external experts to become familiar with the product and its dependencies to implement threat modeling.
The challenge is compounded when dealing with multiple product lines as each product has distinct needs, requiring different skill sets to execute threat modeling efficiently. A solution might be to hire consultants who are both familiar in your field as well as cybersecurity who may be able to adapt more effectively to your current business strategies.
Maintaining consistency is difficult
Conducting threat modeling, either internally or externally, proves to be a challenge in maintaining consistency. Performing this practice efficiently is a dynamic process requiring continuous interactions between a wide range of stakeholders, such as the Quality Manager, Security Engineer and the DevSecOps team.
This frequent interaction may struggle when it is conducted by a less experienced external party, particularly if the consultants work independently from the internal design process. With such turbulent changes in personnel, mis-matched communication styles, or projects being rotated, a consistent approach to threat modeling may be challenging to achieve.
The process is then unnecessarily prolonged by endless feedback loops resulting in a delayed delivery of threat modeling during the design process. As a result, efficient mitigations and strategies against vulnerabilities will not be identified in time. In the ideal scenario, there should be a well-maintained and collaborative approach.
What is the current state of threat modeling for medical devices?
Historically, MDMs have tried to keep security related costs down until the products are approved for the market. This has led to the delaying of activities like threat modeling until a lot of the potential value they create is eliminated.
This is especially true for smaller MDMs who struggle to overcome the challenges of implementing regular threat modeling activities particularly early on in the design process.
In terms of regulations, there is a push for threat modeling implementation to be conducted throughout the product lifecycle of all medical devices and applications. Many MDMs are currently doing it haphazardly just to get it done, instead of properly understanding its cybersecurity value. Meanwhile, others implement threat modeling only for selected devices or applications. The time-consumption factor discourages them from applying it to all their available devices.
Don’t underestimate what threat modeling can bring to your business!
It’s time for all MDMs to re-evaluate the value of threat modeling, regardless of your organization size! Threat modeling provides the most benefits when performed early during the design process. When done improperly or left out, there can be a significant delay to market for your medical device and in severe cases, the potential unaddressed security risks will cost you more later on.
Threat modeling plays a crucial role in identifying and resolving cybersecurity issues and therefore should not be neglected. Instead, it should be set as a milestone to be invested in properly during both the design stage as well as throughout the product lifecycle.
Despite apprehensions or challenges in working with external parties, the most important thing is to equip your internal team with the knowledge and best practices that these cybersecurity experts utilize. Take the short term as a learning experience and once your internal team has acquired the invaluable skills, they can take care of the long term more effectively.
Let’s get to work on threat modeling for your medical devices!
Threat modeling is a continuous process requiring significant investments of both time and effort, however, with an effective approach at the beginning, the whole process becomes a lot more manageable!
Follow our blog for more upcoming discussions on threat modeling and advice for small MDMs!