Blue Goat Cyber

Threat Modeling for Medical Devices

medical device threat modeling

Threat modeling is an essential step in the security process that looks to identify what can go wrong with a certain system. This is meant to be a broad and flexible process for mapping out risk in various areas, cyber security, physical security, and medical device security, to name a few. By implementing different frameworks and approaches, it will be much easier to comprehensively map out potential threats and find ways to remediate them. This is an often overlooked step in the security process that provides immense value.

Identifying Vulnerabilities in Medical Devices

The high-level function of threat modeling is to harden the security of the tested device. To do this, fixes for security flaws must be implemented, and to do that, the flaws themselves must be identified. The initial stages of threat modeling involve analysis of the device and working down to think of what could happen to each aspect of the device, including aspects out of the manufacturer’s control. A great way to begin this process is by breaking down exactly what is happening with the medical device, both physically and digitally.

Mapping out the various aspects of the device through discussion and collaboration with the manufacturer will give the tester a good idea of what can be done. Testers need to get in the headspace of bad guys. How can the most damage be done? How can the most information be acquired? These questions will begin to guide the tester to potential vulnerabilities. Seeing how various systems interact with each other can lead to the discovery of many types of flaws that may even be missed by simply looking at the individual parts.

There have been many tools and frameworks developed to help with this process. Diagrams showing where everything lies physically and virtually and showing how important functions operate can help to create a picture. Data Flow Diagrams (DFDs), swim lane diagrams, and attack trees do a great job at this and can be a good first step before digging deeper. Threat modeling is a cyclical process, and diagram creation will be constantly revisited.

Aside from using diagrams, it can be helpful to fill out certain checklists. MDS2 forms were created with the original purpose of allowing manufacturers to show security information to potential customers and regulatory agencies, though they also work well for security testers. These forms can help to identify potential weaknesses and save time that might be wasted attacking something that is not there.

Remediation of Discovered Vulnerabilities

Once vulnerabilities have been identified, the next step is to test potential attacks and implement controls to prevent these attacks. Following the diagrams created earlier, a clear path is mapped out for testers to try various attacks. Depending on the success of these attacks, it may often be worth revisiting earlier diagrams with newly discovered information. Discovery of vulnerabilities often takes specialized tools and techniques unique to each individual device.

Implementing fixes requires a delicate balance at times. In a perfect world, users could be expected to follow every possible security requirement. In the real world, this often leads to disruption of normal operations and frustration for the user. A user will be able to remember a password longer than 8 characters, but it might be too much to remember one longer than 20, despite the massively increased security. While this is a simple example, the same general concept applies to more complex areas.

As with earlier, this is when communication with the manufacturer provides massive value. The testers will work with the device’s manufacturers to develop good solutions that do not excessively impact the normal flow of operations. In many cases, security controls are more important than usability, especially with devices used in a medical capacity. In these cases, it is important to work to find a good solution to accommodate some potential disruption in the name of safety.

An extremely important final step is reviewing the threat model for completeness. Even with seasoned security professionals, small details can slip through the cracks and go unnoticed. These can potentially stack up and lead to massive security flaws. Careful review throughout the process to ensure that all best practices are followed and that everything is kept up to the highest standards will lead to far more comprehensive security.

Perform Your Medical Device Testing With Blue Goat Cyber

Our team has years of experience testing medical devices and ensuring maximum security before going to market. We can work with your team to find solutions to keep your devices secure and your customers safe from cyber attacks. Contact us to schedule a consultation and find the right solution for your organization.

Blog Search
Social Media

Explore Our Cybersecurity Services

Medical Device Cybersecurity

We understand that often the key objective of testing medical devices is to assist with FDA approval.

Penetration Testing Services

How secure is your network? When is the last time you tested your cybersecurity defenses?

HIPAA Security Risk Analysis (SRA)

We help you meet the requirement to conduct an accurate and thorough assessment of risks to the confidentiality, integrity, and availability of ePHI. 


We help you mature your cybersecurity posture in alignment with your compliance requirements and business objectives.