MedTech Terms
    The authoritative reference
    All terms

    Threat Modeling

    A structured analysis that identifies how an attacker could compromise a medical device and what controls mitigate each threat.

    Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

    Definition

    Threat modeling is a structured engineering activity in which a cross-functional team analyzes a device's architecture, data flows, trust boundaries, and assets to identify how an attacker could compromise confidentiality, integrity, availability, or safety - and then designs or selects controls to mitigate the identified threats. The most widely used framework in MedTech is STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) developed by Microsoft, often combined with attack-tree or kill-chain analysis. AAMI TIR57:2016 "Principles for Medical Device Security - Risk Management" provides MedTech-specific guidance.
    What the regulation says
    FDA's 2023 guidance treats threat modeling as a foundational expectation: every cyber-device submission must include a threat model that covers the global system, the multi-patient harm view, the updateability/patchability view, and the security use case view. The threat model must be traceable from the device's intended use through identified threats to specific mitigations and to ISO 14971 safety risk evaluation. Boilerplate threat models - STRIDE tables disconnected from the actual device architecture - are flagged as deficiencies.

    What this means in practice

    Threat modeling is most effective when done early (during architecture) and revisited at every major design change. Mature MedTech teams keep the threat model as a living artifact in the Design History File and re-walk it as part of design reviews. AAMI TIR57 and the MITRE Playbook for Threat Modeling Medical Devices both provide templates and examples MedTech teams can adapt.

    Use cases

    1 scenario
    1

    Connected cardiac monitor design review

    Security architect

    Engineering runs a STRIDE-based threat model on the device, gateway, and cloud. They identify spoofing risks on the BLE pairing flow and tampering risks on firmware updates, then add mutual authentication and signed updates as controls.

    OutcomeThe threat model and resulting controls are referenced in the 524B cybersecurity package and accepted by FDA without a deficiency letter.
    Common pitfalls
    • Producing a one-shot threat model at submission rather than maintaining it through the lifecycle.
    • Listing generic threats (malware, ransomware) without mapping them to specific device interfaces and trust boundaries.
    • Skipping the four views FDA specifically calls out - global system, multi-patient harm, updateability/patchability, security use case.
    • Failing to feed threat-model outputs into the ISO 14971 risk management file.

    Frequently asked questions

    STRIDE is the de-facto MedTech standard because the 2023 FDA guidance and AAMI TIR57 both reference it. PASTA and attack trees are complementary techniques you can layer on for high-risk subsystems. Pick one primary method and apply it consistently.

    Cross-references

    Uses

    Concepts or artefacts this term builds on.

    Used by

    Things that build on this term.

    Primary references

    3 sources
    Link health: 1 verified 1 bot-blocked 1 needs review· last checked 2026-05-09
    FDA·1AAMI·1MITRE·1
    1. 1
      FDA Cybersecurity in Medical Devices Guidance (Sept 2023)
      Bot-blocked
      FDAfda.gov
    2. 2
      AAMI TIR57:2016 - Principles for Medical Device Security
      Needs review
      AAMIaami.org
    3. 3
      MITRE Playbook for Threat Modeling Medical Devices
      Verified
      MITREmitre.org

    Inline markers like [1] jump to the matching reference above.