Medical devices are increasingly complex systems that exist in complex connected ecosystems of healthcare delivery and are thereby prone to cybersecurity vulnerabilities. For several years, the Food and Drug Administration (FDA) has recognized the value of threat modeling as an approach to strengthen the cybersecurity and safety of medical devices. To increase adoption of threat modeling throughout the medical device ecosystem, FDA engaged with the Medical Device Innovation Consortium (MDIC), the MITRE Corporation, and Adam Shostack & Associates to conduct threat modeling bootcamps in 2020 and 2021. The Playbook has been developed by this team based on the learnings from those bootcamps to further increase the outreach and adoption of threat modeling best practices for medical devices.
Note that the Playbook is not prescriptive in that it does not describe one approach to be used when threat modeling medical devices but focuses on general threat modeling principles. The Playbook can be used as a resource for threat modeling training within an organization. Individuals can work through the examples, filling in the details left to the reader, applying the different methodologies discussed in the Playbook to those gaps, and researching additional approaches using the references in the playbook as starting points. An organization could develop its own training using the Playbook as a basis.
The playbook can also be used to educate stakeholders on threat modeling: what it is, its role in improving product safety and security, and how it fits with quality processes. For example, the playbook may help:
- product line managers understand how threat modeling fits into existing processes;
- systems engineers to understand how threat modeling informs design requirements;
- design engineers and architects understand how threat modeling informs design choices;
- design verification and validation (V&V) engineers understand how to use threat models in designing test strategies;
- regulatory specialists understand how to present and document threat models; and,
- contract manufacturers and consultants who may not be experienced in threat modeling.
Each of these stakeholders can select the portions of the playbook that can help them fulfill their roles and responsibilities in making their devices safe and secure.
This Playbook has benefited significantly from contributions and feedback made by numerous individuals and organizations including the bootcamp participants and facilitators. We are grateful to these contributors for their willingness to share their expertise and invest their valuable time to ensure that this playbook will be useful to the industry.