.png)
One of our most popular white papers was written 2 years ago. It detailed the methodology we at Promenade Software use to threat model the systems we develop. With only minor adjustments, we still use that methodology for our submissions today, under the new FDA guidance.
There are several different modeling techniques available. The Threat Model used at Promenade is an Asset-Oriented Risk Assessment Approach from AAMI TIR57, Principles for Medical Device Security - Risk Management. After reviewing other approaches that were designed for commercial applications or IT systems, we chose this methodology for its direct applicability for medical devices and its clear, systematic approach. This methodology’s strength is in identifying which assets are at the highest risk and need immediate attention, allowing for a prioritized approach to security measures. If used well it provides comprehensive coverage of the system, ensuring that all critical assets are considered, reducing the likelihood of overlooking important components.
Below (Figure 1) is a diagram of the threat modeling and risk assessment process we will discuss.
Our first step is to identify the assets of the system. Assets are basically anything with value needed to use the device for its intended purpose and to keep the device operating safely and securely. Examples of assets include patient data, configuration parameters, treatment parameters, the operating system, software image, and stored authentication and cryptographic credentials (passwords, certificates, tokens, and keys). Assets also include physical resources, such as the network, device memory, and I/O. Assets should also include the broader use environment, such as an HDO (Health Delivery Organization) network. We want to make sure a device vulnerability is not used as the attack vector on the HDO network.
Rate the adverse impact due to compromise of the assets’:
We use a rating score of 1-9 (negligible-critical) for the impact. This value will be part of the risk priority calculation in step 5.
For each Asset, identify the potential Vulnerabilities (source of attack) that could be used to compromise the Asset. Potential vulnerabilities include your communications interfaces, bugs, known vulnerabilities in third party software, users, debug interfaces, tools used in deployment (etc.). Vulnerabilities should be considered in the context of the use environment, the supply chain, deployment process, and maintenance and update activities. For example, if online tools are used for the build, what vulnerabilities could exist there? If the user environment is inherently hostile (eg. hospital networks), assume that an attacker could control the network.
Determine the Threat. Document the scenario by which the asset is compromised and the resultant threat. Then, to rate the threat likelihood, we use a combination of the skill level required of an attacker, and the ease of discovery and exploitation. The threat actor skill level is rated from state actors with almost unlimited resources (1) to actors with limited knowledge who just use what is freely available (9). We rate the Ease of Discovery from practically impossible (1) to automated (9) and Ease of Exploit from theoretical (1) to automated (9). The mean of these values determines the likelihood.
To calculate risk, we multiply Impact by Threat Likelihood to get a Risk Priority Number (RPN). The tables below (Figures 2 and 3) determine the acceptability of the risk.
This process is used pre- and post-mitigation (after a control is applied) as part of the Risk Assessment.
This asset-oriented threat model can create a structured and effective approach to securing our clients’ critical assets, ensuring a strong and resilient security framework.
Need help? Promenade Software can help you through this and other Cybersecurity regulatory documentation. We provide templates and consulting to guide you through the process.
