Critical Steps: Applying Threat Modeling to Medical DevicesMITRE's Margie Zuk and Penny Chase Discuss FDA's Threat Modeling Playbook
When applying threat modeling for medical devices, it is important for manufacturers to take on the approach early in the design stages of their products, say MITRE medical device cybersecurity experts Margie Zuk and Penny Chase, co-authors of the recently released Playbook for Threat Modeling Medical Devices.
"It's thinking about the design from the beginning: What can go wrong? What are we going to do about it? Applying more methodologies to make it more of a practice and sharing tips for what the problem areas are," says Zuk, senior principal cybersecurity engineer at MITRE.
"We're hoping to see a lot more of that happening" among medical device manufacturers, she says in a video interview with Information Security Media Group.
The MITRE playbook, commissioned by the Food and Drug Administration, is agnostic about the various methodologies that can be used to apply threat modeling to medical devices, says Chase, IT and cybersecurity integrator at MITRE, in the same interview.
She says using the methodologies "enables you to be more systemic and structured in how you think about 'what could go wrong,'" she says. "People who are designing systems are not necessarily the kinds of people who think about how to attack systems. Threat modeling methodologies provide a way to think about the weaknesses."
Zuk and Chase are leading presentations on medical device threat modeling and defending against ransomware at the Healthcare Information and Management Systems Society conference taking place in Orlando, Florida on March 14-18.
In the video interview, Zuk and Chase also discuss:
- Types of organizations that could benefit from use of the threat modeling playbook;
- Ransomware and other top cyberthreats involving medical devices;
- Other tips for applying threat modeling to medical devices.
Zuk has more than 35 years of cybersecurity experience. She is currently the cyber engagement lead for healthcare in the Cyber Solutions Technical Center, where she leads MITRE’s support to the U.S. Food and Drug Administration's Center for Devices and Radiological Health on medical device cybersecurity preparedness and response.
Chase works in the Human- and Data-Centered Solutions Technical Center at MITRE. She has led MITRE and government-sponsored projects in numerous cybersecurity and malware threat and analysis efforts, including sharing healthcare fraud data and applying natural language processing to medical device adverse event reports. Chase supports MITRE’s FDA projects on medical device cybersecurity.