2Secure By Design: Medical Device Threat Modeling
Safety Risk Management is well established and has a long history. In the
late 1950’s, reliability engineers established methods to systematically
analyze the failures and eects of faults within complex military systems.
Failure Mode Eects Analysis (FMEA) was extended to include criticality
in the analysis process (FMECA) and complemented other structured risk
analysis methods (such as Fault Tree Analysis - FTA). These prescriptive
methods are readily practiced within the medical device risk manage-
ment domain to identify failure points and the impact of such failure on
patient safety.
Just as FMEA, FMECA, and FTA are methods to proactively identify safety
risks, threat modeling is a practice to identify cybersecurity risks. Threat
modeling frameworks provide organizations with a repeatable way to
incorporate key cyber security considerations into their software design
and subsequently prevent or mitigate unacceptable compromises to
condentiality, integrity, availability, and safety.
In the same way as MDMs looked across industry to nd and embrace
tools like FMECA, “threat modeling”, a practice developed in traditional
software industry, has been globally advocated within the health indus-
try. Major government agencies have published industry guidance on
how to incorporate cybersecurity considerations into the medical device
lifecycle (such as United States FDA, Health Canada, Australia TGA, and
French ANSM).
These regulatory bodies have established expectations regarding cyber-
security threats and threat modeling. The FDA focuses on considering
system level risks and supply chain risks. Health Canada outlines a check-
list of general activities a manufacturer should undertake to evaluate and
control risk. The TGA asks that MDMs consider cybersecurity practices
for manufacturing and the supply chain. ANSM calls for risk analysis,
policy for managing and purchasing software components, and verica-
tion methods for ensuring there are no vulnerabilities in the software.
One dierence noted here is that Health Canada does not have language
involving the supply chain unlike the other three guidance documents
(for more details on regulatory guidance, see MedCrypt’s whitepaper —
“Understanding International Medical Device Cybersecurity Guidance”).
Similarly, publications from private sectors within the health industry
have recommended the practice of threat modeling (such as the “Medical
Device and Health IT Joint Security Plan” from Public Health Sector Coor-
dinating Council).
THREAT MODELING IS EXPECTED IN RISK MANAGEMENT
Safety Related Cybersecurity Related
Process
Guide
IOS 14971
AAMI TIR57 Medical
Device & Health IT JSP
Analysis
Methods
FMEA/FMECA
FTA
STRIDE/PASTA
Attack Trees
Scoring
Techniques
Probability/Severity
Matrix
CVSS
OWASP Risk Rating
Table 1: The methods and procedures of safety focused rise management have many parallels when managing
cybersecurity risk. Threat modeling plays an important role in modern risk management.
RISK MANAGEMENT
SAFETY VS. CYBERSECURITY ANALOGOUS TERMINOLOGY
Traditional Safety Traditional Cyber
Safety: Freedom from
unacceptable risk
Safety: Protection from or
defense against damage, unau-
thorized use or modication
Hazard Threat
Susceptibility Vulnerability
People, Property, Environment Asset
Hazard (or Risk) Analysis (Cyber) Security) Risk Analysis
Misuse (reasonably foreseeable) Exploit
Sequence of Events Attack Vector
Hazardous Situation Event, Incident (potential)
Harm
Incident (occurring), Conse-
quence
Intended Use Use Case
Probability Exploitability
Severity Impact
Threat modeling is an extension to long-standing risk management activities and should be part of cybersecurity risk management when developing
medical device software. ISO 14971 is a cornerstone standard to the safety and risk management processes widely used by MDMs. The standard helps
MDMs establish procedures to identify and mitigate threats that may result in “physical injury or damage to the health of people, or damage to proper-
ty or the environment”.
Software is playing a more prominent role both in medical devices (Software in a Medical Device - SiMD) and as a medical device itself (Software as a
Medical Device - SaMD). This brings a set of cyber risks beyond the commonly discussed condentiality, integrity, and availability — most notably, the
risk of patient harm. Published in 2016, AAMI TIR57 “Principles for Medical Device Security - Risk Management” attempts to bridge that gap by mapping
ISO 14971’s high level process steps (which are focused on managing safety risks) to corresponding steps for managing cybersecurity risks.
Table 2: Safety risk and cybersecurity risk often use dierent terms to express comparable concepts. These terms
diverge on the fundamentally dierent assumption that a Safety Hazard is primarily coincidental, while a Cyber
Threat is primarily intentional.