MITRE models Medical Device threats

  • December 20, 2021
  • William Payne

US Federal homeland security research non-profit Mitre and the Medical Device Innovation Consortium (MDIC) has published a playbook for cyber threat modelling medical devices.

The co-authored “Playbook for Threat Modelling Medical Devices” is designed to provide insights on cybersecurity and embedded technology cyber threats for manufacturers, healthcare providers and cybersecurity software firms.

Mitre is a non-profit founded 63 years ago to develop technology and expertise to support US Government communications security and cyber defences. Today, it manages federally funded research and development centres (FFRDC) for a number of US government agencies in fields including healthcare, aviation, defence, homeland security and cybersecurity.

Founded in 2012, MDIC is a public-private partnership created to advance medical device regulatory science throughout the total product life cycle. MDIC works in the pre-competitive space to facilitate the development of methods, tools, and approaches that enhance understanding and improve evaluation of product safety, quality, and effectiveness.

For several years, the US Food and Drug Administration (FDA) has recognised the value of threat modelling as an approach to strengthen the cybersecurity and safety of medical devices. To increase knowledge and understanding of threat modelling throughout the medical device ecosystem, FDA engaged with MDIC and MITRE to conduct a series of threat modelling bootcamps for medical device manufacturers in 2020 and 2021 and to subsequently develop a playbook based on the learnings from those convenings.

The goal of the bootcamps was to scale existing threat modelling training to the medical device ecosystem via a “train-the-trainer” approach, creating ambassadors for threat modelling in their respective organisations.

In addition to leveraging learnings from the bootcamps, MITRE and MDIC interviewed cybersecurity experts from medical device manufacturers to distill current practices and strategies for implementing threat modelling into the medical device development lifecycle.

“We are excited about working with MDIC and MITRE on cybersecurity threat modelling to ultimately help medical device manufacturers strengthen their cybersecurity efforts,” said Dr. Suzanne Schwartz, director of the Office of Strategic Partnerships & Technology Innovation at the FDA’s Center for Devices and Radiological Health. “The threat modelling bootcamps and the first-of-its-kind playbook apply scientific methods of threat modelling, leading to safer, more resilient medical devices that improve patient lives.”

“MDIC recognises that every company has unique challenges when it comes to safety and security of the devices, but it is evident that the cybersecurity is a shared responsibility of a wide range stakeholders including the patient community, and we need more and more collaborative efforts to increase awareness and scale best practices in this area,” said Pamela Goldberg, MDIC President and CEO.

“MITRE is proud to once again support the FDA’s strong commitment to medical device cybersecurity and patient safety,” said Kim Warren, vice president, director, Health FFRDC, MITRE. “As a co-author of the Playbook for Threat Modelling Medical Devices we applied our decades of cybersecurity expertise helping other organisations prepare to defend attacks on their infrastructure. As medical devices increasingly connect to the internet, all private and public stakeholders must continue to prioritise device cybersecurity for patient safety.”

In October of 2020 MITRE published a rubric for applying the Common Vulnerability Scoring System (CVSS) to medical devices, earning qualification by the FDA as a Medical Device Development Tool (MDDT). MITRE partnered with the FDA in October of 2018 to create the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, which outlined a framework for health delivery organisations (HDOs) and other stakeholders to plan for and respond to cybersecurity incidents around medical devices, ensure effectiveness of devices, and protect patient safety.