MedTechs need to up their cybersecurity threat modeling game, FDA says

FDA in 2018 issued updated draft guidance describing the design and development factors that manufacturers should consider to assure medical device security. Threat modeling is specifically called out as a critical issue that medtechs should address in preparing premarket submissions.

The agency recommends a “threat model that includes a consideration of system level risks, including but not limited to risks related to the supply chain (e.g., to ensure the device remains free of malware), design, production, and deployment (i.e., into a connected/networked environment).” FDA’s recommendations also include a “specific list of all cybersecurity risks that were considered in the design” of a manufacturer’s device.

The problem, according to FDA officials, is that companies are often falling short when it comes to appropriate threat modeling and premarket testing needed to assess the adequacy of medical device security.

Schwartz told MedTech Dive it’s critical that manufacturers incorporate security controls into the designs of their devices and include “rigorous and methodologically sound” threat models that take into consideration all potential cyber risks from hackers, who are growing in sophistication and are increasingly brazen in their tactics.

“That is why we have invested in the threat modeling work with MITRE,” Schwartz said, who noted that there has been “a real type of gap in terms of [medtechs] understanding what kinds of questions are appropriate to ask” in putting together sound threat models to avoid current cybersecurity vulnerabilities.

MITRE’s threat modeling playbook will be published later in 2021. The document will include strategies for integrating threat modeling into business processes based on stakeholder current practices, as well as tools and methodologies for consideration by companies.

“It’s not a guidance, however,” Schwartz emphasized. “We are not being prescriptive with respect to how a manufacturer should step by step go through threat modeling.”

At the same time, Schwartz said FDA “will be looking for much more detailed and comprehensive threat modeling as part of the clearance or approval process for medical devices.”

FDA sponsored a series of threat modeling “boot camps” for manufacturers and agency reviewers, in collaboration with MITRE, the Medical Device Innovation Consortium and Adam Shostack & Associates, meant to develop experts within the industry who can train others on appropriate threat models.

Schwartz said the concept of MITRE’s threat modeling playbook is to “take the best” of those boot camps and to “institutionalize” the content and lessons learned by broadly disseminating it to the medtech industry. MedTech Dive