Manufacturers can leverage insights to strengthen the cybersecurity and safety of medical devices.
MITRE and Medical Device Innovation Consortium Create Playbook for Threat Modeling Medical Devices
Bedford, Mass., Arlington and McLean, Va., Nov. 30, 2021—MITRE and the Medical Device Innovation Consortium (MDIC) announced the release of their co-authored “Playbook for Threat Modeling Medical Devices,” providing insights to organizations developing or evolving an approach to creating threat models in a systematic and consistent way. The playbook is available for download from MDIC and MITRE.
For several years, the U.S. Food and Drug Administration (FDA) has recognized the value of threat modeling as an approach to strengthen the cybersecurity and safety of medical devices. To increase knowledge and understanding of threat modeling throughout the medical device ecosystem, FDA engaged with MDIC and MITRE to conduct a series of threat modeling bootcamps for medical device manufacturers in 2020 and 2021 and to subsequently develop a playbook based on the learnings from those convenings.
“We are excited about working with MDIC and MITRE on cybersecurity threat modeling to ultimately help medical device manufacturers strengthen their cybersecurity efforts,” said Dr. Suzanne Schwartz, director of the Office of Strategic Partnerships & Technology Innovation at the FDA’s Center for Devices and Radiological Health. “The threat modeling bootcamps and the first-of-its-kind playbook apply scientific methods of threat modeling, leading to safer, more resilient medical devices that improve patient lives.”
The goal of the bootcamps was to scale existing threat modeling training to the medical device ecosystem via a "train-the-trainer" approach, creating ambassadors for threat modeling in their respective organizations.
“MDIC recognizes that every company has unique challenges when it comes to safety and security of the devices, but it is evident that the cybersecurity is a shared responsibility of a wide range stakeholders including the patient community, and we need more and more collaborative efforts to increase awareness and scale best practices in this area,” said Pamela Goldberg, MDIC President and CEO.
In addition to leveraging learnings from the bootcamps, MITRE and MDIC interviewed cybersecurity experts from medical device manufacturers to distill current practices and strategies for implementing threat modeling into the medical device development lifecycle.
“MITRE is proud to once again support the FDA’s strong commitment to medical device cybersecurity and patient safety,” said Kim Warren, vice president, director, Health FFRDC, MITRE. “As a co-author of the Playbook for Threat Modeling Medical Devices, we applied our decades of cybersecurity expertise helping other organizations prepare to defend attacks on their infrastructure. As medical devices increasingly connect to the internet, all private and public stakeholders must continue to prioritize device cybersecurity for patient safety.”
This new playbook builds upon MITRE’s continuing efforts to help safeguard medical devices, and the patients that rely on them, from bad actors. In October of 2020 MITRE published a rubric for applying the Common Vulnerability Scoring System (CVSS) to medical devices, earning qualification by the FDA as a Medical Device Development Tool (MDDT). MITRE partnered with the FDA in October of 2018 to create the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, which outlined a framework for health delivery organizations (HDOs) and other stakeholders to plan for and respond to cybersecurity incidents around medical devices, ensure effectiveness of devices, and protect patient safety.
MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation.
About the Medical Device Innovation Consortium (MDIC)
Founded in 2012, the Medical Device Innovation Consortium (MDIC) is the first public-private partnership created with the sole objective of advancing medical device regulatory science throughout the total product life cycle. MDIC’s mission is to promote public health through science and technology and to enhance trust and confidence among stakeholders. MDIC works in the pre-competitive space to facilitate the development of methods, tools, and approaches that enhance understanding and improve evaluation of product safety, quality, and effectiveness. Its initiatives aim to improve product safety and patient access to cutting-edge medical technology while reducing cost and time to market. For more information, visit http://www.mdic.org.
Mike Murphy, external communications principal, MITRE, firstname.lastname@example.org
Gregory Bologna, AVP, Marketing and communications, MDIC, email@example.com