NIST and the FDA think so.
It’s hard to find a medical device today that doesn’t use software, have an app or connect to the cloud. And the FDA knows it. So much so that it’s now recommending threat modeling (TM) as a best practice when developing medical devices and software in response to a request from NIST.
In Response to NIST
On June 2 and 3, 2021, The National Institute of Standards and Technology (NIST) hosted a virtual workshop to enhance the security of the software supply chain and to fulfill the President’s Executive Order on Improving the Cybersecurity of the Federal Government (14028), issued on May 12, 2021.
NIST was seeking position statements in critical areas of software development. These include, among other things, “secure software development lifecycle standards, best practices, and other guidelines” and “minimum requirements for testing software source code”.
In response to NIST’s question on minimum requirements for testing software source code, the “FDA stood up threat modeling bootcamps via a partnership with MITRE and the Medical Device Innovation Consortium (MDIC).”
They did so, because according to the FDA, “Threat modeling provides a blueprint to strengthen security through the total product lifecycle (TPLC) of the devices, thereby ensuring improved safety and effectiveness of medical products. Threat modeling helps to lay the groundwork for science driven penetration testing and other downstream security testing as identified in the 2018 draft premarket guidance.”
MDIC’s Been Onboard for a While
MDIC is a public-private partnership to improve patient access and safety while reducing costs to the healthcare system. And the 2021 TM bootcamp wasn’t their first one. They’ve been onboard with TM for a while.
From their website, “In September 2019, FDA awarded funding to MDIC to increase awareness on systematic approaches to TM that can enable manufacturers to effectively address system level risks. Through an FDA funded cybersecurity initiative, MDIC delivered two bootcamps on TM for medical device stakeholders which were held August 17-21, 2020 and February 22-26, 2021. MDIC collaborated with over two dozen SMEs on threat modeling – both from MedTech and non-MedTech sector, led by Shostack & Associates, in developing the modules for bootcamps.”
The money MDIC received was for “the expansion of the Case for Quality and medical device cybersecurity programs.” According to Jeff Shuren, M.D., director of FDA’s Center for Devices and Radiological Health (CDRH), “MDIC has been an essential partner for the Case for Quality since 2015. We are encouraged that the work being done by MDIC on cybersecurity threat modeling could ultimately help medical device manufacturers strengthen their cybersecurity efforts, leading to safer, more resilient medical devices that improve patient lives.”
Not Just for Medical Devices
TM isn’t just for medical devices. Incorporating it into the SDLC is quickly becoming a best practice for all application development and DevOps efforts.
If you’re new to TM, or haven’t kept up with advances and still think of it as just an open source curiosity, we invite you to get your free copy of Threat Modeling for Dummies. Learn about your options for proactively preparing for increasingly sophisticated and ever-changing cyber threats.