“What Could Possibly Go Wrong?” Attending MDIC’s Threat Modeling Bootcamp

Last week, the Medical Device Innovation Consortium (MDIC) held the first of two planned bootcamps where medical device manufacturers, health delivery organizations, cybersecurity subject matter experts, and the FDA came together to learn and discuss all things threat modeling. Attendees spent most of their time learning and practicing threat modeling offline and reviewing their homework live during cross-sectional small groups. For those who missed out, MDIC is still accepting applications for the second bootcamp set to occur in late 2020 or early 2021.

The bootcamp served as a great refresher course on threat modeling foundations. For those uninitiated to threat models, I recommend “Threat Modeling: Designing for Security,” written by bootcamp presenter, Adam Shostack. While the substance of the bootcamp parallels the early chapters of his book, even those already intimately familiar with the work should consider attending to review and clarify concepts in direct dialogue with the author.

With the audience consisting almost entirely of experts in the healthcare space, it was a surprise that the bootcamp was not focused on threat modeling for medical devices but instead explored threat modeling more generally. Steering the exercises away from medical devices was deliberate as to ensure no single therapy area dominated discussion and avoid “thorny” issues. Yet, this seemed like an extraordinary missed opportunity to enlist subject matter experts of the community assembled under one digital roof to confront challenges uniquely faced by the medical device industry.

My experience, having performed threat modeling for several years, has been that certain challenges only become apparent once you start to get your hands dirty with the process. These challenges are especially true of threat modeling as part of a holistic approach to assessing and mitigating cybersecurity risks throughout a product’s lifecycle. During the homework reviews each day, my small group broke into tangents on how the presented threat modeling topics and processes may need to be catered for medical devices. Attendees with experience threat modeling were able to offer insight in how to apply the lessons to meet the needs of device manufacturers. Although these discussions felt like a deviation from the daily agenda, it is where I felt the most value in the bootcamp.

I echo bootcamp facilitator Charles Wilson that “overall, the training was successful.” The training was a good initial exposure to threat modeling for a significant number of participants. MDIC has solicited feedback on the first bootcamp, and I am hopeful that the next event will place a greater emphasis on threat modeling specifically for medical devices. Still, many attendees expressed a current need for clear guidance on how to effectively integrate threat modeling into their product lifecycle to meet FDA expectations. While MDIC plans to release a threat modeling playbook sometime in 2021, manufacturers need clarity and direction now. Some lingering areas of confusion where I see the greatest urgency for guidance include:

• How does threat modeling contribute to a risk-based approach to the design and development of appropriate cybersecurity protections for medical devices?
• How detailed should a threat model be?
• How can we extract the most value out of our threat models during different stages of the product lifecycle?

Until the playbook is released, these questions remain challenging or unanswered for many in the industry.