Threat Modeling
A structured analysis that identifies how an attacker could compromise a medical device and what controls mitigate each threat.
Definition
Threat modeling is a structured engineering activity in which a cross-functional team analyzes a device's architecture, data flows, trust boundaries, and assets to identify how an attacker could compromise confidentiality, integrity, availability, or safety - and then designs or selects controls to mitigate the identified threats. The most widely used framework in MedTech is STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) developed by Microsoft, often combined with attack-tree or kill-chain analysis. AAMI TIR57:2016 "Principles for Medical Device Security - Risk Management" provides MedTech-specific guidance.What this means in practice
Threat modeling is most effective when done early (during architecture) and revisited at every major design change. Mature MedTech teams keep the threat model as a living artifact in the Design History File and re-walk it as part of design reviews. AAMI TIR57 and the MITRE Playbook for Threat Modeling Medical Devices both provide templates and examples MedTech teams can adapt.Use cases
1 scenarioConnected cardiac monitor design review
Security architectEngineering runs a STRIDE-based threat model on the device, gateway, and cloud. They identify spoofing risks on the BLE pairing flow and tampering risks on firmware updates, then add mutual authentication and signed updates as controls.
- •Producing a one-shot threat model at submission rather than maintaining it through the lifecycle.
- •Listing generic threats (malware, ransomware) without mapping them to specific device interfaces and trust boundaries.
- •Skipping the four views FDA specifically calls out - global system, multi-patient harm, updateability/patchability, security use case.
- •Failing to feed threat-model outputs into the ISO 14971 risk management file.
Frequently asked questions
Cross-references
Related terms
Shared paths + categoryA documented, risk-based set of processes that build cybersecurity into a medical device across its full lifecycle.
The federal statute that gives FDA explicit premarket authority over cybersecurity for cyber devices.
A six-category framework for enumerating threats: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
The bundle of cybersecurity artifacts a sponsor includes in a 510(k), De Novo, PMA, or HDE submission for a cyber device.
AAMI Technical Information Report providing MedTech-specific guidance on cybersecurity risk management.
International standard defining secure-product-lifecycle activities for health software, including medical devices.
Latest in MedTech
Primary references
3 sources- 1FDA Cybersecurity in Medical Devices Guidance (Sept 2023)VerifiedFDAfda.gov
- 2MITRE Playbook for Threat Modeling Medical DevicesVerifiedMITREmitre.org
- 3FDA - Cybersecurity for Medical DevicesVerifiedFDAfda.gov
Inline markers like [1] jump to the matching reference above.