3rd Party Risk Management , Application Security , Cybercrime

Critical Steps: Applying Threat Modeling to Medical Devices

MITRE's Margie Zuk and Penny Chase Discuss FDA's Threat Modeling Playbook
Penny Chase, IT and cybersecurity integrator at MITRE (left) and Margie Zuk, senior principal cybersecurity engineer at MITRE (right)

When applying threat modeling for medical devices, it is important for manufacturers to take on the approach early in the design stages of their products, say MITRE medical device cybersecurity experts Margie Zuk and Penny Chase, co-authors of the recently released Playbook for Threat Modeling Medical Devices.

See Also: Keeping Your Side of the Street Clean: 5 Cyber-Hygiene Facts You Wish You Knew Earlier

"It's thinking about the design from the beginning: What can go wrong? What are we going to do about it? Applying more methodologies to make it more of a practice and sharing tips for what the problem areas are," says Zuk, senior principal cybersecurity engineer at MITRE.

"We're hoping to see a lot more of that happening" among medical device manufacturers, she says in a video interview with Information Security Media Group.

The MITRE playbook, commissioned by the Food and Drug Administration, is agnostic about the various methodologies that can be used to apply threat modeling to medical devices, says Chase, IT and cybersecurity integrator at MITRE, in the same interview.

She says using the methodologies "enables you to be more systemic and structured in how you think about 'what could go wrong,'" she says. "People who are designing systems are not necessarily the kinds of people who think about how to attack systems. Threat modeling methodologies provide a way to think about the weaknesses."

Zuk and Chase are leading presentations on medical device threat modeling and defending against ransomware at the Healthcare Information and Management Systems Society conference taking place in Orlando, Florida on March 14-18.

In the video interview, Zuk and Chase also discuss:

  • Types of organizations that could benefit from use of the threat modeling playbook;
  • Ransomware and other top cyberthreats involving medical devices;
  • Other tips for applying threat modeling to medical devices.

Zuk has more than 35 years of cybersecurity experience. She is currently the cyber engagement lead for healthcare in the Cyber Solutions Technical Center, where she leads MITRE’s support to the U.S. Food and Drug Administration's Center for Devices and Radiological Health on medical device cybersecurity preparedness and response.

Chase works in the Human- and Data-Centered Solutions Technical Center at MITRE. She has led MITRE and government-sponsored projects in numerous cybersecurity and malware threat and analysis efforts, including sharing healthcare fraud data and applying natural language processing to medical device adverse event reports. Chase supports MITRE’s FDA projects on medical device cybersecurity.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.