This Playbook was prepared by The MITRE Corporation and the Medical Device Innovation Consortium using funds from the U.S. Food and Drug Administration in November 2021. Download playbook here: Playbook-for-Threat-Modeling-Medical-Devices-2021
The playbook is not prescriptive in that it does not describe one approach to be used when threat modeling medical devices. It is intended to serve as a resource for developing or evolving a threat modeling practice. The playbook is agnostic about specific methodologies, and instead focuses on the values and principles articulated in the manifesto and illustrates how different methodologies can be used, alone or in combination, to answer four key questions:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good enough job?
This should be helpful in establishing security architecture, particularly with identification and prioritization of security controls that may be implemented within medical devices and within a Health Delivery Organization’s (HDO) network infrastructure to improve cyber risk management. For example, one should identify generic functional and network components that are used at a high-level within architecture. Both the Medical Device Manufacturers (MDM) and HDOs could use these to develop threat models to identify threat boundaries and responsibility for securing different parts of the architecture.