Secure by Design — Medical Device Threat Modeling

Threat modeling is a cornerstone of “secure by design” development. As connected medical devices become more complex and integrated, manufacturers must move beyond reactive cybersecurity measures and systematically identify risks before they become vulnerabilities.This whitepaper outlines the principles, frameworks, and methods of threat modeling in medical device development — bridging established safety practices like FMEA and FTA with cybersecurity frameworks like STRIDE and CVSS. It illustrates how threat modeling supports FDA, Health Canada, TGA, and ANSM expectations, and provides a practical roadmap for integrating the process into existing quality and risk management systems.

Medical device manufacturers face growing regulatory and customer pressure to embed cybersecurity into the product development lifecycle.Threat modeling offers a structured, repeatable approach to identifying potential cyber risks — analogous to how FMEA identifies failure points in safety risk management. It connects clinical safety with technical security, ensuring confidentiality, integrity, and availability are preserved across the device ecosystem.This whitepaper helps MDMs and HDOs understand when, why, and how to apply threat modeling to strengthen compliance, protect patients, and reduce product risk.

• Medical Device Manufacturers (MDMs): product engineers, system architects, quality and regulatory teams
• Healthcare Delivery Organizations (HDOs): IT security, clinical engineering, and HTM leaders
• Regulatory and Risk Management Professionals: managing ISO 14971, AAMI TIR57, or IEC 81001-5-1 compliance
• Security Analysts and Researchers: building secure product architectures and workflows

• Threat modeling extends ISO 14971-style safety risk management into cybersecurity.
• Regulatory agencies now expect MDMs to apply threat modeling to manage system-level risk.
• STRIDE and CVSS provide scalable frameworks to analyze and prioritize threats.
• Diagrams (DFDs/UML) are essential tools for visualizing data flow and attack surfaces.
• Continuous, collaborative threat modeling builds trust, reduces recall risk, and meets FDA expectations for “secure by design.”

1. Introduction: The Role of Threat Modeling in Secure Product Design
   
   1. Regulatory context: FDA, Health Canada, TGA, and ANSM expectations
   2. How threat modeling aligns with cybersecurity risk management frameworks
2. Threat Modeling in Context: From Safety to Security
   
   1. Parallels between safety risk management (FMEA/FMECA/FTA) and cybersecurity risk management
   2. Mapping of safety and security concepts (e.g., hazard vs. threat, probability vs. exploitability)
   3. Integration with ISO 14971 and AAMI TIR57 processes
3. Threat Modeling as a Component of Cyber Risk Management
   
   1. How threat modeling complements broader risk assessment methods
   2. Role in the Secure Product Development Framework (SPDF)
   3. Key outcomes: improved visibility, mitigated design risk, and regulatory traceability
4. Keep It Simple: How to Start Threat Modeling
   
   1. The four essential steps: Diagram, Identify, Mitigate, Validate
   2. Recommended starting point: system-level modeling and iterative deep dives
   3. Using existing artifacts like MDS2 diagrams and data flow maps
   4. Cross-functional collaboration and maintaining models as systems evolve
5. Structured Methods for Threat Elicitation
   
   1. Overview of STRIDE, PASTA, and attack tree methodologies
   2. Using STRIDE categories to systematically analyze data flows
   3. Example: applying STRIDE to a CT scanner and PACS server scenario
   4. Attack tree visualization for SSL and DICOM communication threats
6. Assessing and Prioritizing Risks
   
   1. Scoring methodologies (CVSS, OWASP Risk Rating, custom frameworks)
   2. Evaluating evolving threats like deepfake manipulation of imaging data
   3. Using CVSS base scoring to quantify probability, impact, and exploitability
7. Beyond the Clinical Setting: Considering Non-Clinical Scenarios
   
   1. Threats in manufacturing, maintenance, and remote servicing
   2. Risk considerations for software provisioning, key management, and technician access
   3. Balancing safeguards and usability
8. Key Takeaways and Looking Forward
   
   1. Adopting threat modeling early — but never too late
   2. Encouraging cross-industry collaboration and transparency
   3. Tailoring models to medical contexts (e.g., GE’s “abuse” and patient safety categories)
   4. Building industry consensus through shared attack trees and best practices
9. Authors and References
   
   1. Contributions from MedCrypt, Toreon, and industry security experts
   2. Reference materials for further reading (FDA, AAMI, MITRE, Microsoft, and academic sources)