- Medtech companies must design and develop devices that "have far more robust security built in" to keep pace with emerging cybersecurity threats and vulnerabilities, said Suzanne Schwartz, director of CDRH's Office of Strategic Partnerships and Technology Innovation. To do that, Schwartz says medtechs need better threat models that lay out what hackers might do to target a device and how to protect it.
- While FDA encourages adoption of threat modeling throughout the medical device lifecycle, the models are essential to a successful premarket review to ensure adequate security, said Schwartz, who gave a presentation at last week's HIMSS21 conference on FDA's efforts to bolster device cybersecurity. To help companies, the agency has provided funding to MITRE to develop a playbook to be released later this year with the aim of improving device makers' approaches to these critical models.
- Schwartz is the latest CDRH official in recent months to warn about lackluster threat models from medtechs. Kevin Fu, CDRH's acting director of medical device cybersecurity, in May told the Food & Drug Law Institute conference that companies must do a better job and that FDA "has denied premarket clearance based solely on cybersecurity concerns for medical devices."
FDA in 2018 issued updated draft guidance describing the design and development factors that manufacturers should consider to assure medical device security. Threat modeling is specifically called out as a critical issue that medtechs should address in preparing premarket submissions.
The agency recommends a "threat model that includes a consideration of system level risks, including but not limited to risks related to the supply chain (e.g., to ensure the device remains free of malware), design, production, and deployment (i.e., into a connected/networked environment)." FDA's recommendations also include a "specific list of all cybersecurity risks that were considered in the design" of a manufacturer's device.
The problem, according to FDA officials, is that companies are often falling short when it comes to appropriate threat modeling and premarket testing needed to assess the adequacy of medical device security.
Schwartz told MedTech Dive it's critical that manufacturers incorporate security controls into the designs of their devices and include "rigorous and methodologically sound" threat models that take into consideration all potential cyber risks from hackers, who are growing in sophistication and are increasingly brazen in their tactics.
"That is why we have invested in the threat modeling work with MITRE," Schwartz said, who noted that there has been "a real type of gap in terms of [medtechs] understanding what kinds of questions are appropriate to ask" in putting together sound threat models to avoid current cybersecurity vulnerabilities.
MITRE's threat modeling playbook will be published later in 2021. The document will include strategies for integrating threat modeling into business processes based on stakeholder current practices, as well as tools and methodologies for consideration by companies.
"It's not a guidance, however," Schwartz emphasized. "We are not being prescriptive with respect to how a manufacturer should step by step go through threat modeling."
At the same time, Schwartz said FDA "will be looking for much more detailed and comprehensive threat modeling as part of the clearance or approval process for medical devices."
FDA sponsored a series of threat modeling "boot camps" for manufacturers and agency reviewers, in collaboration with MITRE, the Medical Device Innovation Consortium and Adam Shostack & Associates, meant to develop experts within the industry who can train others on appropriate threat models.
Schwartz said the concept of MITRE's threat modeling playbook is to "take the best" of those boot camps and to "institutionalize" the content and lessons learned by broadly disseminating it to the medtech industry.