Manufacturers can leverage insights to strengthen the cybersecurity and safety of medical devices
MITRE and the Medical Device Innovation Consortium (MDIC) announced the release of their co-authored “Playbook for Threat Modeling Medical Devices,” providing insights to organizations developing or evolving an approach to creating threat models in a systematic and consistent way. The playbook is available for download from MDIC and MITRE.
For several years, the U.S. Food and Drug Administration (FDA) has recognized the value of threat modeling as an approach to strengthen the cybersecurity and safety of medical devices. To increase knowledge and understanding of threat modeling throughout the medical device ecosystem, FDA engaged with MDIC and MITRE to conduct a series of threat modeling bootcamps for medical device manufacturers in 2020 and 2021 and to subsequently develop a playbook based on the learnings from those convenings.
“We are excited about working with MDIC and MITRE on cybersecurity threat modeling to ultimately help medical device manufacturers strengthen their cybersecurity efforts,” said Dr. Suzanne Schwartz, director of the Office of Strategic Partnerships & Technology Innovation at the FDA’s Center for Devices and Radiological Health. “The threat modeling bootcamps and the first-of-its-kind playbook apply scientific methods of threat modeling, leading to safer, more resilient medical devices that improve patient lives.”
The goal of the bootcamps was to scale existing threat modeling training to the medical device ecosystem via a “train-the-trainer” approach, creating ambassadors for threat modeling in their respective organizations.
“MDIC recognizes that every company has unique challenges when it comes to safety and security of the devices, but it is evident that the cybersecurity is a shared responsibility of a wide range stakeholders including the patient community, and we need more and more collaborative efforts to increase awareness and scale best practices in this area,” said Pamela Goldberg, MDIC President and CEO.
In addition to leveraging learnings from the bootcamps, MITRE and MDIC interviewed cybersecurity experts from medical device manufacturers to distill current practices and strategies for implementing threat modeling into the medical device development lifecycle.
“MITRE is proud to once again support the FDA’s strong commitment to medical device cybersecurity and patient safety,” said Kim Warren, vice president, director, Health FFRDC, MITRE. “As a co-author of the Playbook for Threat Modeling Medical Devices we applied our decades of cybersecurity expertise helping other organizations prepare to defend attacks on their infrastructure. As medical devices increasingly connect to the internet, all private and public stakeholders must continue to prioritize device cybersecurity for patient safety.”
This new playbook builds upon MITRE’s continuing efforts to help safeguard medical devices, and the patients that rely on them, from bad actors. In October of 2020 MITRE published a rubric for applying the Common Vulnerability Scoring System (CVSS) to medical devices, earning qualification by the FDA as a Medical Device Development Tool (MDDT). MITRE partnered with the FDA in October of 2018 to create the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, which outlined a framework for health delivery organizations (HDOs) and other stakeholders to plan for and respond to cybersecurity incidents around medical devices, ensure effectiveness of devices, and protect patient safety.
For more such updates and perspectives around Digital Innovation, IoT, Data Infrastructure, AI & Cybersecurity, go to AI-Techpark.com.