FDA Playbook Aims to Bolster Medical Device Threat ModelingNew Resource Co-Developed by MITRE, Medical Device Innovation Consortium
The Food and Drug Administration on Tuesday announced the release of a new playbook to assist medical device makers in developing and evolving threat modeling approaches to strengthen the cybersecurity and safety of their products.
The new Playbook for Threat Modeling Medical Devices, which was commissioned by the FDA and co-authored by MITRE Corp. and the Medical Device Innovation Consortium, discusses best practice to help manufacturing organizations better understand threat modeling concepts and processes and how to apply them to medical devices, the FDA says (see: FDA's Kevin Fu on Threat Modeling for Medical Devices).
Threat Modeling Approaches
The resource is not meant to be prescriptive in terms of describing only one approach to threat modeling, the document notes. Rather, it was developed in large part through insights emerging from a series of threat modeling boot camps conducted in 2020 and 2021 for medical device manufacturers by MITRE and MDIC, with engagement from the FDA.
MITRE and MDIC also included advice from cybersecurity experts at medical device manufacturers on their current practices and strategies for implementing threat modeling into the medical device development life cycle, the two organizations say.
"The threat modeling boot camps and the first-of-its-kind playbook apply scientific methods of threat modeling, leading to safer, more resilient medical devices that improve patient lives," said Dr. Suzanne Schwartz, director of the Office of Strategic Partnerships and Technology Innovation at the FDA’s Center for Devices and Radiological Health in a statement.
The playbook notes that the use of its information is voluntary, and the document does not constitute FDA guidance or enforceable policy.
Medical Device Makers
Targeted users of the threat modeling playbook at medical device maker organizations include product line managers, systems engineers, design engineers and architects, design verification and validation staff, regulatory specialists and contract manufacturers and consultants, the document notes.
"Threat modeling is analyzing representations of a system to highlight concerns about security and privacy characteristics," the playbook notes, adding that it is "agnostic" about specific methodologies, and instead illustrates how different methodologies can be used, alone or in combination, to answer four key questions:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good enough job?
"When you perform threat modeling, you begin to recognize what can go wrong in a system," the playbook notes.
"It also allows you to pinpoint design and implementation issues that require mitigation, whether it is early in or throughout the lifetime of the system."
The output of the threat model informs decisions to make in subsequent design, development, testing, and post-deployment phases, the playbook notes.
Some experts say the playbook appears to help address important cybersecurity issues involving medical devices that could otherwise get overlooked.
Ido Hoyda, a cyber analyst team leader at healthcare cybersecurity vendor CyberMDX who was not involved in the development of the playbook, says medical device cyberthreat modeling is critical.
That's because threat modeling assists organizations in anticipating potential security gaps in medical devices and helps them deconstruct complicated situations into understandable "building blocks" that they can mitigate, he notes.
Threat modeling "simplifies the complex topic of cybersecurity for medical devices by suggesting a step-by-step method to understand how a medical device is currently acting; how it should act; what are the high cyber risk software, hardware and network components of it; and how you should prioritize them to create a plan that will minimize the risk and potential attack vectors," he says.
While the new playbook is aimed primarily at medical device makers, Hoyda says the resource should also be helpful to teams responsible for securing medical devices and networks in healthcare delivery organizations.
"The playbook will most likely be beneficial during the initial medical device procurement process that frequently involves a preliminary risk assessment," he says.
"It will also assist security teams conducting ongoing risk assessment and risk mitigation for medical devices. Finally, it will help these processes by focusing the questions on the most important and cost-effective tasks when looking for security gaps and their mitigation strategies."
While this latest FDA cybersecurity resource is geared toward medical device makers, the FDA and MITRE in October 2018 issued a similar co-developed playbook to assist healthcare delivery organizations in responding to cybersecurity incidents involving medical devices (see: How to Use FDA's Medical Device Cybersecurity Playbook).