FDA, MDIC and MITRE Publish Medical Device Threat Modeling Playbook
Modern medical devices are complex, networked and often vulnerable to attack. With that in mind, the U.S. Food and Drug Administration (FDA) has funded the development of a playbook for threat modeling by the Medical Device Innovation Consortium (MDIC) and MITRE.
The playbook is designed to help health care organizations and medical device manufacturers identify how bad actors can exploit vulnerabilities or cause harm through an attack. Essentially, the threat modeling process is looking at a system through an attacker’s eyes so that mitigations can be developed against potential attacks.
“When you perform threat modeling, you begin to recognize what can go wrong in a system. It also allows you to pinpoint design and implementation issues that require mitigation, whether early in or throughout the system’s lifetime. The output of the threat model, which are threats, informs decisions that you might make in subsequent design, development, testing and post-deployment phases,” the playbook states.
The playbook was developed through learning from a series of threat modeling boot camps designed by FDA, MDIC, MITRE and Adam Shostack (author of Threat Modeling: Designing for Security) as the expert trainer, along with additional interviews with organizations that helped in the execution of the boot camps throughout 2020 and 2021.
The risks of connected medical devices continue to rise. Consider a survey from Cynerio, which found a full third of “bedside health care IoT devices” contained a known critical risk. The vendor’s survey also found, in addition to bedside health care IoT devices, that 53% of connected devices in hospitals have at least one identified critical flaw. These security flaws can be used to steal patient data and move laterally into the hospital network, block network and system access and more.
There’s increased momentum toward securing medical devices. This past September, the FBI issued medical device cybersecurity recommendations designed to protect medical devices from attack. “Cyber threat actors exploiting medical device vulnerabilities adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality and data integrity. Medical device vulnerabilities predominantly stem from device hardware design and device software management. Routine challenges include the use of standardized configurations, specialized configurations, including a substantial number of managed devices on the network, lack of device embedded security features, and the inability to upgrade those features,” the FBI stated in its notification.
“The pending legislation would require medical device manufacturers to monitor and identify post-market vulnerabilities in a timely manner, develop a plan for coordinated vulnerability disclosure, provide lifetime cybersecurity support of the device and provide an accounting of all software contained in the device, including third-party software, the American Hospital Association wrote in a statement.
The Playbook for Threat Modeling Medical Devices is available here.