Threat Modeling for Medical Devices

Threat modeling is the foundation of every credible cybersecurity submission - and the section reviewers scrutinize most. This hub collects our threat modeling service, FDA-aligned methodology, the 12 gaps we see most often, and how STRIDE maps to AAMI SW96 risk management. A submission-grade threat model produces traceable artifacts at four layers: a system and data-flow decomposition that names every trust boundary, asset, and external interface; a STRIDE-per-element analysis that enumerates spoofing, tampering, repudiation, information disclosure, denial-of-service, and elevation-of-privilege threats against each component; a risk evaluation that scores likelihood and harm severity using the device's intended-use and use-environment context, including multi-patient and fleet-level harm scenarios reviewers now expect under the FDA February 2026 final guidance; and a mitigation traceability matrix that maps every accepted threat to a security control, a verification test, and a residual-risk entry in the ISO 14971 risk file. Threat models that skip the trust-boundary map, treat the device as a single black box, or omit multi-patient harm are the single most common driver of first-cycle cybersecurity Additional Information letters. AAMI SW96 is now the bridge reviewers expect between the security threat analysis and the safety risk file, and a threat model that doesn't carry threats into the SW96 risk register reads as incomplete regardless of how thorough the STRIDE work is.

Services

• Medical Device Threat Modeling

  Comprehensive threat modeling per FDA Section V.A.1 - covering supply chain, deployment, environment of use, and decommission risks for the full device system.

• Secure MedTech Product Design

  Architecture review, control selection, and secure development guidance from concept through V&V - aligned with FDA's Secure Product Development Framework.

• Full-Service FDA Premarket Cybersecurity

  Full-service, end-to-end: we deliver 100% of the artifacts FDA reviewers expect for 510(k), De Novo, PMA, and IDE submissions - traceable, complete, and aligned with current 524B guidance.

In-depth guides

• 12 Critical Threat-Modeling Gaps in SubmissionsA practical, ungated guide to the threat modeling gaps that trigger FDA cybersecurity questions in 510(k), De Novo, and PMA submissions - and exactly how to close them before reviewers find them.
• The SPDF PlaybookA practical, ungated guide to building a Secure Product Development Framework (SPDF) that FDA accepts, the eight pillars, the artifacts each one produces, and a pre-submission readiness checklist you can score yourself against.

Standards & guidance

Defined entries from our MedTech Cybersecurity Standards Glossary.

• ANSI/AAMI SW96Medical Device Security Risk ManagementThe consensus standard for medical device security risk management - asset, threat, vulnerability, likelihood, severity, and residual risk acceptability.
• AAMI TIR57Principles for Medical Device Security - Risk ManagementThe MedTech-specific extension of ISO 14971 for cybersecurity. Defines how to identify cybersecurity assets, threats, and vulnerabilities, then estimate, evaluate, and control the resulting risk.
• ISO 14971Medical Device Risk ManagementThe umbrella risk-management standard for medical devices. Defines hazard identification, risk estimation, risk evaluation, risk control, and residual risk evaluation. Cybersecurity risks must be reconciled here so a security control never silently introduces a safety hazard.
• SPDFSecure Product Development FrameworkA documented framework that shows security activities are integrated across the device lifecycle - not bolted on at the end. Includes secure requirements, threat modeling, secure coding, V&V, vulnerability management, and post-market response.
• FDA 2026 GuidanceFDA Premarket Cybersecurity Guidance (Feb 3, 2026)The FDA's final premarket cybersecurity guidance, effective February 3, 2026. Defines the seven-section cybersecurity submission format reviewers now enforce at Technical Screening, replacing the 2023 draft. Operationalizes Section 524B of the FD&C Act.

From the blog

• Threat Modeling Connected & Implantable DevicesIf you're asking how to conduct a cybersecurity threat model for a connected or implantable medical device, the first thing to understand is that this is.
• AAMI TIR57 Risk Management for Medical DevicesA practical guide to AAMI TIR57 (R2023) and how it supports FDA’s Feb 2026 cybersecurity guidance - risk analysis, controls, and evidence.
• A Guide to FMEA for Medical DevicesLearn FMEA for medical devices with practical examples - including cybersecurity failure modes - so QA/RA and engineering teams can prioritize risk and.

Related FDA deficiencies

The deficiency letters reviewers most often write on submissions in this topic area. Each links to the full response playbook.

• Incomplete Threat Model

  Reviewers say your STRIDE/attack-tree analysis misses interfaces, trust boundaries, or post-market threat surfaces.

  Response playbook
• Missing Cybersecurity Risk Assessment

  Reviewers cannot find a cybersecurity risk assessment distinct from the ISO 14971 safety risk file, or the integration is unclear.

  Response playbook
• Missing Security Architecture Views

  Your submission is missing one or more of the architecture views FDA 2026 expects (global system, multi-patient, updateability).

  Response playbook
• Insufficient Penetration Testing Evidence

  Reviewers find your penetration test scope too narrow, methodology unclear, or testers insufficiently independent.

  Response playbook

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.