Medical Device Threat Modeling Starter Kit

Why this matters

The FDA's 2026 final premarket guidance and AAMI TIR57:2016/(R)2023 both require a structured, documented threat model. Reviewers reject generic 'STRIDE applied to a SaMD' write-ups. This kit gives you a repeatable methodology you can run on your own device today and present to a reviewer with confidence.

Key takeaway: A threat model is not a one-time deliverable. It is a living artifact that gets updated every time the architecture changes - new interface, new dependency, new deployment target.

The five-step methodology

• Step 1 · Scope - define system boundary, in-scope components, primary and supporting assets.
• Step 2 · Decompose - DFD with processes, data stores, external entities, trust boundaries.
• Step 3 · Enumerate - STRIDE-per-element + attack trees for high-value flows.
• Step 4 · Rate - CVSS v3.1 + clinical impact, mapped to ISO 14971 risk levels.
• Step 5 · Mitigate & trace - link each threat to security requirement, design control, V&V test case.

Device-specific threats to walk through (sample)

• Can the device be impersonated to its peers (cloud, gateway, paired devices)?
• Can wireless protocols (BLE, Wi-Fi, cellular, NFC) be jammed, replayed, or downgraded?
• Is the JTAG/SWD/UART debug interface disabled in production builds?
• Can the firmware update mechanism install unsigned or downgraded firmware?
• For AI/ML SaMD: data poisoning, model inversion, adversarial inputs, prompt injection?

What's in the full PDF

• Full STRIDE quick reference with medical-device mitigations
• 13-point device-specific threat checklist (every interface and data flow)
• Attack-tree skeleton for 'deliver unauthorized therapy command'
• Traceability matrix template (10 reviewer-required columns)
• Common mistakes that get flagged in FDA review