With medical devices increasingly incorporating complex software elements and becoming more connected, the risk associated with cyber threats has never been greater. One of the most effective ways to strengthen the cybersecurity of medical devices is to employ threat modeling early (and often) during the development and throughout the lifecycle of a device.
Threat modeling is a well-established practice within the cybersecurity industry but is still relatively new within the medtech space, so many are unsure where to start and exactly how to do it. Fortunately, the MITRE Corporation, in conjunction with the FDA and other industry leaders, have just released a very helpful resource.
Structuring the threat modelling process
The recently published “Playbook for Threat Modeling Medical Devices” provides manufacturers with a good understanding of how to perform threat modeling within the medical device ecosystem. But the document is not prescriptive – it does not describe one, “right” approach, as there is no such thing. Instead, it tries to serve as a resource for developing or evolving your own threat modeling practice, one that will be useful for your particular product(s).
To add structure to the threat modeling process, the authors of the document recommend the following four simple questions:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good job?
Of course, answering each of them is an iterative process with a lot of back and forth and using the answer from later questions to modify earlier answers. You also need to keep in mind that your medical devices are not static, and new vulnerabilities are discovered regularly, and depending on their severity the need to update or upgrade affected products should be regularly assessed. And even if your products do not change, your team’s knowledge of them becomes more complete over time.
Useful and documented threat modeling
Ideally, you should apply threat modeling throughout your device(s) lifecycle, from concept through development to commercialization. The process should identify both potential threats and strategies for controlling each one of them through elimination, mitigation, acceptance, or transfer. Once you agree on a method, be explicit about it – do not just silently accept or transfer a threat. You should also have incident response plans in place, so that your organization can act in a coordinated manner and provide timely disclosure to device operators and the public.
The playbook also underlines the importance of having a well-documented security architecture. Since there are multiple development teams involved in a product, it only makes sense to start the threat modeling process at a top-level system view and keep it documented. In this way the organization will know what makes up the system, where trust boundaries exist with external entities, what trust boundaries exist within the system itself and what are the high-value dataflows that merit detailed analysis. A good security architecture will help reduce developer uncertainty and improve communication between teams.
For such documentation to serve its purpose, it should be complete, clear, specific, traceable and consistent. Using multiple different diagrams for the same system, as shown in the playbook, will help you examine your product from all angles.
Evolvement and continual improvement
The threat modeling process is an ongoing process and as such should be regularly evaluated. Its continual improvement and evolution over time will ensure that it is effective. To be able to develop future-proof medical devices, you need to create threat models in a systematic and consistent way.
But getting started is the hardest part. If you are struggling with building an initial threat model for your medical device, feel free to contact us, we are happy to give you a hand!