Cybersecurity has become a critical issue for the medical device industry, where a cyber threat can lead to injury or even death. To address this growing problem, the U.S. Food and Drug Administration, the MITRE Corporation, and the Medical Device Innovation Consortium (MDIC), have published a playbook that offers insights to organizations developing or evolving an approach to creating threat models for medical device cybersecurity.
What is threat modeling and how is it helpful?
According to the playbook, threat modeling is “analyzing representations of a system to highlight concerns about security and privacy characteristics.” This involves asking four key questions to begin recognizing what can go wrong in a system. These questions include:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good enough job?
After running through a threat modeling exercise, companies identify “threats” — design or implementation issues in a medical device that require adjustments or mitigation. Given the complexity and connectedness of medical devices, it is important that all companies regularly conduct threat modeling exercises. Catching a threat early can often prevent death or injury to future patients.
The threats that arise from cybersecurity vulnerabilities are also the risks that can lead to a recall for a medical device manufacturer. Running a threat modeling exercise can help manufacturers identify these risks throughout the lifecycle of a medical device and create the opportunity to mitigate the risks before they turn into a recall.
Although the FDA has shared that the threat modeling playbook is not a guidance, Suzanne Schwartz, director of the FDA’s Center for Devices and Radiological Health’s Office of Strategic Partnerships and Technology Innovation, has cautioned that the FDA “will be looking for much more detailed and comprehensive threat modeling as part of the clearance or approval process for medical devices.” With this in mind, all medical device manufacturers planning to submit a device for approval should pay close attention to the threat modeling playbook and take the necessary steps now to ensure they’re prepared to present proof of an adequate threat model.
Threat modeling will also help manufacturers identify risks early in the R&D stage, as well as help them think about what impact the risks could have once the device is in the market. In the end, careful threat modeling will create peace of mind, save money, and more importantly, save lives.