Updated April 13, 2025
Threat modeling is an essential step in the security process that identifies what can go wrong with a particular system. It is meant to be a broad and flexible process for mapping out risk in various areas, including cybersecurity, physical security, and medical device security, to name a few. Implementing different frameworks and approaches will make it much easier to comprehensively map out potential threats and find ways to remediate them. This is an often overlooked step in the security process that provides immense value.
Identifying Vulnerabilities in Medical Devices
The high-level function of threat modeling is to harden the security of the tested device. To do this, fixes for security flaws must be implemented, and to do that, the flaws themselves must be identified. The initial stages of threat modeling involve analysis of the device and working to think of what could happen to each aspect of the device, including aspects out of the manufacturer’s control. A great way to begin this process is by breaking down exactly what is happening with the medical device, both physically and digitally.
Mapping out the various aspects of the device through discussion and collaboration with the manufacturer will give the tester a good idea of what can be done. Testers need to get in the headspace of bad guys. How can the most damage be done? How can the most information be acquired? These questions will begin to guide the tester to potential vulnerabilities. Seeing how various systems interact can lead to the discovery of many types of flaws that may even be missed by simply looking at the individual parts.
Many tools and frameworks have been developed to help with this process. Diagrams showing where everything lies physically and virtually and how important functions operate can help create a picture. Data Flow Diagrams (DFDs), swim lane diagrams, and attack trees do a great job at this and can be a good first step before digging deeper. Threat modeling is a cyclical process, and diagram creation will be constantly revisited.
Aside from using diagrams, it can be helpful to fill out certain checklists. MDS2 forms were created to allow manufacturers to show security information to potential customers and regulatory agencies, though they also work well for security testers. These forms can help identify potential weaknesses and save time that might be wasted attacking something that is not there.
Remediation of Discovered Vulnerabilities
Once vulnerabilities have been identified, the next step is to test potential attacks and implement controls to prevent these attacks. Following the diagrams created earlier, a clear path is mapped out for testers to try various attacks. Depending on the success of these attacks, it may often be worth revisiting earlier diagrams with newly discovered information. The discovery of vulnerabilities often takes specialized tools and techniques that are unique to each device.
Implementing fixes requires a delicate balance at times. In a perfect world, users could be expected to follow every possible security requirement. In the real world, this often leads to disruption of normal operations and frustration for the user. A user will be able to remember a password longer than eight characters, but it might be too much to remember one longer than 20, despite the massively increased security. While this is a simple example, the same general concept applies to more complex areas.
As with earlier, this is when communication with the manufacturer provides massive value. The testers will work with the device’s manufacturers to develop good solutions that do not excessively impact the normal flow of operations. In many cases, security controls are more important than usability, especially with devices used in a medical capacity. In these cases, it is important to work to find a good solution to accommodate some potential disruption in the name of safety.
An extremely important final step is reviewing the threat model for completeness. Even with seasoned security professionals, small details can slip through the cracks and go unnoticed. These can potentially stack up and lead to massive security flaws. Careful review throughout the process to ensure that all best practices are followed and that everything is kept up to the highest standards will lead to far more comprehensive security.
Medical Device Testing With Blue Goat Cyber
Our team has years of experience testing medical devices and ensuring maximum security before going to market. We can work with your team to find solutions to keep your devices secure and your customers safe from cyber attacks. Contact us to schedule a consultation and find the right solution for your organization.
Medical Device Threat Modeling FAQs
Threat modeling is a systematic process used to identify and assess potential cybersecurity threats that could compromise the safety, performance, or availability of a medical device. It involves analyzing the device’s architecture, data flows, interfaces, and potential attacker entry points. By understanding how an attacker could exploit vulnerabilities, manufacturers can implement appropriate security controls early in the design process.
Threat modeling plays a crucial role in reducing cybersecurity risks in medical devices, particularly those that are connected, software-driven, or integrated with hospital networks and cloud platforms. It supports compliance with FDA cybersecurity guidance, aligns with standards like ISO 14971 and AAMI TIR57, and provides evidence of proactive security planning in regulatory submissions. Beyond compliance, it helps protect patients from harm caused by unauthorized access, data manipulation, or device malfunction.
Threat modeling should be initiated early in the product design phase and updated throughout the development lifecycle. Ideally, it should begin as soon as architectural decisions are made, and then be reviewed after significant design changes, software updates, or when new threats emerge. It should also be revisited during postmarket surveillance to account for evolving threat landscapes and vulnerability disclosures.
Several frameworks can guide threat modeling in the medical device context. Common ones include STRIDE, which categorizes threats by Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Others include attack trees, kill chain analysis, and the MITRE ATT&CK framework. These methodologies help structure thinking and ensure comprehensive threat coverage across device components and usage scenarios.
The FDA’s 2023 final guidance on cybersecurity in medical devices specifically requires manufacturers to perform threat modeling as part of their premarket submission. It should be part of the Secure Product Development Framework (SPDF) and linked to the cybersecurity risk management plan. Threat models help justify the security controls chosen and demonstrate that risks have been adequately mitigated and documented.
Effective threat modeling requires a clear understanding of the device’s system architecture, data flows, user roles, software components, communication protocols, and third-party dependencies. Security-relevant information like known vulnerabilities, interface specifications, and software bills of materials (SBOMs) are also crucial for thorough modeling. Collaboration between engineering, cybersecurity, and regulatory teams ensures completeness.
The outcomes of threat modeling usually include a list of identified threats, corresponding vulnerabilities, risk scores, and recommended mitigations. It often results in updated security requirements, design changes, or the implementation of controls such as encryption, authentication, or logging. These findings feed directly into the security risk management file and regulatory documentation.
Threat models should be treated as living documents. Updates should occur with any significant design change, software update, addition of new features, or integration with new systems. They should also be refreshed when new threats or vulnerabilities emerge, such as those reported in vulnerability databases, threat intelligence feeds, or via coordinated disclosure programs.
Threat modeling is a cross-functional activity that involves software engineers, system architects, cybersecurity experts, quality and regulatory professionals, and sometimes clinicians or end-users. Each stakeholder brings a unique perspective that helps ensure the threat model reflects realistic attack scenarios and operational considerations.
Yes, threat modeling can reduce development costs and regulatory friction by uncovering potential security flaws early in the design process—when fixes are less costly and easier to implement. It also supports a strong submission package by demonstrating proactive cybersecurity management, which helps avoid FDA Refuse to Accept (RTA) responses or requests for additional information.
