skip to main content
Close Icon We use cookies to improve your website experience.  To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy.  By continuing to use the website, you consent to our use of cookies.
Global Search Configuration

Threat modeling is a good way to assess cybersecurity of connected medical devices, according to a playbook sponsored by the US Food and Drug Administration asking four simple questions that sponsors should think about when developing their products.

The FDA announced the availability of the “Playbook for Threat Modeling Medical Devices,” which was put together by the MITRE Corporation and the Medical Device Innovation Consortium (MDIC) with funding from the agency. While it’s not promoted as a regulatory document and has no legal weight, the manual is an important part of how manufacturers can prove to the FDA that they’ve done their due diligence in producing a safe connected medical device.

 

“A challenge with developing a mature threat modeling process is that there is no one-size-fits-all approach to threat modeling. Identifying the threat modeling techniques that fit an organization’s team and products is a learning process that only improves with practice.” — MITRE, MDIC

 

The playbook centers around four questions developed by threat modeling expert Adam Shostack with input from the FDA and industry stakeholders. The questions include:

  • “What are we working on?”
  • “What can go wrong?”
  • “What are we going to do about it?”
  • “Did we do a good job?”

     

As sponsors develop connected medical devices, asking these threat modeling questions about the cybersecurity of their product – and documenting the answers – can give the FDA confidence the manufacturer has seriously considered potential threats to their product and ways to mitigate them during the premarket and postmarket stages.

The authors note that the playbook is not meant to be a prescriptive manual to cybersecurity threat modeling because there is no single way to threat model for medical devices. Instead, the manual is meant to be a resource to manufacturers as threat modeling practices evolve.

“The playbook is agnostic about specific methodologies, and instead focuses on the values and principles articulated in the manifesto and illustrates how different methodologies can be used, alone or in combination, to answer those four key questions,” the authors write. “The playbook provides a foundation that can inform an organization’s threat modeling practices. The playbook provides insights on how an organization can develop or evolve an approach to creating threat models in a systematic and consistent way to achieve those objectives.”

The manual lays out a number of different threat modeling methodologies, but manufacturers could also decide to develop their own threat modeling plan based on the information presented in the document. It can also be used to educate stakeholders on threat modeling by answering what cybersecurity threat modeling is, what their role is in improving product safety and security, and how the modeling fits into their quality processes according to the authors.

“A challenge with developing a mature threat modeling process is that there is no one-size-fits-all approach to threat modeling,” the manual states. “Identifying the threat modeling techniques that fit an organization’s team and products is a learning process that only improves with practice.”

“As organizations adopt proactive threat modeling techniques, more questions will arise,” it adds. “When they do, this playbook and the concepts it details will provide a basis for selecting more advanced resources and tailoring the techniques for individual organizations’ needs and products.”

Read also

;

Next steps

Whether you’re a small biotech start-up, research firm, generic manufacturer or a global pharmaceutical giant, you need focused, independent insight and opinion on market developments.

Our team is ready to hear from you for a particular request or area of interest. Please do not hesitate to reach out and discuss.

Contact us for product technical and account support.

  • US Toll-Free   : +1 888 670 8900 
  • US Toll             : +1 212-600-3520
  • UK & Europe : +44 (0) 208 052 0700

Have an immediate and specific information need?

Browse and buy from 1000s of analysis and research reports now: