MITRE02.18.22
MITRE and the Medical Device Innovation Consortium (MDIC) are teaming up to improve medical device safety and cybersecurity.
The pair has co-authored and released a playbook to help organizations develop an approach for creating threat models—“Playbook for Threat Modeling Medical Devices.”
“MDIC recognizes that every company has unique challenges when it comes to safety and security of the devices, but it is evident that the cybersecurity is a shared responsibility of a wide range stakeholders including the patient community, and we need more and more collaborative efforts to increase awareness and scale best practices in this area,” said Pamela Goldberg, MDIC president and CEO.
This new playbook builds upon MITRE’s efforts to help safeguard medical devices and patients from cybercriminals. In October 2020 MITRE published a rubric for applying the Common Vulnerability Scoring System (CVSS) to medical devices, earning qualification by the U.S. Food and Drug Administration (FDA) as a Medical Device Development Tool (MDDT). MITRE partnered with the FDA in October of 2018 to create the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, which outlined a framework for health delivery organizations (HDOs) and other stakeholders to plan for and respond to cybersecurity incidents around medical devices, ensure effectiveness of devices, and protect patient safety.
The FDA has recognized the value of threat modeling as an effective approach to strengthen medical device cybersecurity and safety. To increase knowledge and understanding of threat modeling throughout the medical device ecosystem, FDA engaged with MDIC and MITRE to conduct a series of threat modeling bootcamps for medical device manufacturers in 2020 and 2021 and to subsequently develop a playbook based on the learnings from those convenings. The bootcamps aimed to scale existing threat modeling training to the medical device ecosystem via a "train-the-trainer" approach, creating ambassadors for threat modeling in their respective organizations.
“MITRE is proud to support the FDA’s commitment to medical device cybersecurity and patient safety,” said Kim Warren, vice president, director, Health FFRDC, MITRE. “As a co-author of the Playbook for Threat Modeling Medical Devices, we applied our decades of cybersecurity expertise helping other organizations prepare to defend attacks on their infrastructure. As medical devices increasingly connect to the internet, all private and public stakeholders must continue to prioritize device cybersecurity for patient safety.”
In addition to leveraging learnings from the bootcamps, MITRE and MDIC interviewed cybersecurity experts from medical device manufacturers to distill current practices and strategies for implementing threat modeling into the medical device development lifecycle.
“We are excited about working with MDIC and MITRE on cybersecurity threat modeling to ultimately help medical device manufacturers strengthen their cybersecurity efforts,” said Dr. Suzanne Schwartz, director of the Office of Strategic Partnerships & Technology Innovation at the FDA’s Center for Devices and Radiological Health. “The threat modeling bootcamps and the first-of-its-kind playbook apply scientific methods of threat modeling, leading to safer, more resilient medical devices that improve patient lives.”
MITRE’s mission-driven teams are dedicated to solving problems for a safer world.
Founded in 2012, the Medical Device Innovation Consortium is the first public-private partnership created with the sole objective of advancing medical device regulatory science throughout the total product life cycle. MDIC’s mission is to promote public health through science and technology and to enhance trust and confidence among stakeholders. MDIC works in the pre-competitive space to facilitate the development of methods, tools, and approaches that enhance understanding and improve evaluation of product safety, quality, and effectiveness. Its initiatives aim to improve product safety and patient access to cutting-edge medical technology while reducing cost and time to market.
The pair has co-authored and released a playbook to help organizations develop an approach for creating threat models—“Playbook for Threat Modeling Medical Devices.”
“MDIC recognizes that every company has unique challenges when it comes to safety and security of the devices, but it is evident that the cybersecurity is a shared responsibility of a wide range stakeholders including the patient community, and we need more and more collaborative efforts to increase awareness and scale best practices in this area,” said Pamela Goldberg, MDIC president and CEO.
This new playbook builds upon MITRE’s efforts to help safeguard medical devices and patients from cybercriminals. In October 2020 MITRE published a rubric for applying the Common Vulnerability Scoring System (CVSS) to medical devices, earning qualification by the U.S. Food and Drug Administration (FDA) as a Medical Device Development Tool (MDDT). MITRE partnered with the FDA in October of 2018 to create the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, which outlined a framework for health delivery organizations (HDOs) and other stakeholders to plan for and respond to cybersecurity incidents around medical devices, ensure effectiveness of devices, and protect patient safety.
The FDA has recognized the value of threat modeling as an effective approach to strengthen medical device cybersecurity and safety. To increase knowledge and understanding of threat modeling throughout the medical device ecosystem, FDA engaged with MDIC and MITRE to conduct a series of threat modeling bootcamps for medical device manufacturers in 2020 and 2021 and to subsequently develop a playbook based on the learnings from those convenings. The bootcamps aimed to scale existing threat modeling training to the medical device ecosystem via a "train-the-trainer" approach, creating ambassadors for threat modeling in their respective organizations.
“MITRE is proud to support the FDA’s commitment to medical device cybersecurity and patient safety,” said Kim Warren, vice president, director, Health FFRDC, MITRE. “As a co-author of the Playbook for Threat Modeling Medical Devices, we applied our decades of cybersecurity expertise helping other organizations prepare to defend attacks on their infrastructure. As medical devices increasingly connect to the internet, all private and public stakeholders must continue to prioritize device cybersecurity for patient safety.”
In addition to leveraging learnings from the bootcamps, MITRE and MDIC interviewed cybersecurity experts from medical device manufacturers to distill current practices and strategies for implementing threat modeling into the medical device development lifecycle.
“We are excited about working with MDIC and MITRE on cybersecurity threat modeling to ultimately help medical device manufacturers strengthen their cybersecurity efforts,” said Dr. Suzanne Schwartz, director of the Office of Strategic Partnerships & Technology Innovation at the FDA’s Center for Devices and Radiological Health. “The threat modeling bootcamps and the first-of-its-kind playbook apply scientific methods of threat modeling, leading to safer, more resilient medical devices that improve patient lives.”
MITRE’s mission-driven teams are dedicated to solving problems for a safer world.
Founded in 2012, the Medical Device Innovation Consortium is the first public-private partnership created with the sole objective of advancing medical device regulatory science throughout the total product life cycle. MDIC’s mission is to promote public health through science and technology and to enhance trust and confidence among stakeholders. MDIC works in the pre-competitive space to facilitate the development of methods, tools, and approaches that enhance understanding and improve evaluation of product safety, quality, and effectiveness. Its initiatives aim to improve product safety and patient access to cutting-edge medical technology while reducing cost and time to market.