MITRE and the Medical Device Innovation Consortium (MDIC) have co-authored a playbook for threat modeling to provide insights to organizations developing or evolving an approach to creating threat models in a systematic and consistent way. 

The “Playbook for Threat Modeling Medical Devices,” is available for download from MDIC and MITRE and is aimed to help organizations strengthen the cybersecurity and safety of medical devices. 

The U.S. FDA has recognized the value of threat modeling as an approach to strengthen security and safety of medical devices. To increase knowledge and understanding of threat modeling throughout the medical device ecosystem, FDA engaged with MDIC and MITRE to conduct a series of threat modeling bootcamps for medical device manufacturers in 2020 and 2021 and to subsequently develop a playbook based on the learnings from those convenings.

“We are excited about working with MDIC and MITRE on cybersecurity threat modeling to ultimately help medical device manufacturers strengthen their cybersecurity efforts,” says Suzanne Schwartz, MD, MBA, director of the Office of Strategic Partnerships & Technology Innovation at the FDA’s Center for Devices and Radiological Health. “The threat modeling bootcamps and the first-of-its-kind playbook apply scientific methods of threat modeling, leading to safer, more resilient medical devices that improve patient lives.”

The goal of the bootcamps was to scale existing threat modeling training to the medical device ecosystem via a “train-the-trainer” approach, creating ambassadors for threat modeling in their respective organizations.

“MDIC recognizes that every company has unique challenges when it comes to safety and security of the devices, but it is evident that the cybersecurity is a shared responsibility of a wide range stakeholders including the patient community, and we need more and more collaborative efforts to increase awareness and scale best practices in this area,” says Pamela Goldberg, MBA, MDIC president and CEO.

In addition to leveraging learnings from the bootcamps, MITRE and MDIC interviewed cybersecurity experts from medical device manufacturers to distill current practices and strategies for implementing threat modeling into the medical device development lifecycle.

“MITRE is proud to once again support the FDA’s strong commitment to medical device cybersecurity and patient safety,” says Kim Warren, MSC, vice president, director, Health FFRDC, MITRE. “As a co-author of the Playbook for Threat Modeling Medical Devices, we applied our decades of cybersecurity expertise helping other organizations prepare to defend attacks on their infrastructure. As medical devices increasingly connect to the internet, all private and public stakeholders must continue to prioritize device cybersecurity for patient safety.”