Doctor looking at MRI scanner monitor

Playbook for Threat Modeling Medical Devices

By Elaine Bochniewicz , Melissa Chase , Steven Christey Coley , Kyle Wallace, Ph.D. , Matt Weir, Ph.D. , Margie Zuk

The “Playbook for Threat Modeling Medical Devices” was developed to increase knowledge of threat modeling throughout the medical device ecosystem in order to further strengthen the cybersecurity and safety of medical devices.

Download Resources

Medical devices are increasingly complex and connected systems existing in complex connected ecosystems of healthcare delivery. Standard security controls can ensure some baseline security capabilities, but they fail to address the myriad of ways that medical devices are used, interface with the healthcare ecosystem, and most important, how security risks could result in unacceptable safety issues. Instead, for several years, the Food and Drug Administration (FDA) has recognized the value of threat modeling as an approach to strengthen the cybersecurity and safety of medical devices. To increase knowledge and understanding of threat modeling throughout the medical device ecosystem, FDA engaged with MITRE, the Medical Device Innovation Consortium (MDIC), and Adam Shostack to conduct a series of threat modeling bootcamps and develop a playbook based on the learnings from those bootcamps.

The “Playbook for Threat Modeling Medical Devices” provides a foundation that can inform an organization’s threat modeling practices. It is intended to serve as a resource for developing or evolving a threat modeling practice. The playbook is not prescriptive in that it does not describe one approach to be used when threat modeling medical devices but focuses on general threat modeling principles. In addition, the playbook provides insights on how an organization can develop or evolve an approach to creating threat models in a systematic and consistent way to achieve those objectives.

Please send comments or suggestions about the playbook to securemed@mitre.org.