Episode 12 · February 18, 2025 · 28m listen · 5,004 words · ~25 min read
Advanced Threat Modeling in Medical Devices | Ep. 11 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 12 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
In this episode of The Med Device Cyber Podcast, hosts Christian Espinosa and Trevor discuss the critical practice of threat modeling for medical devices. They emphasize the importance of adopting an attacker's mindset to identify potential entry points and vulnerabilities early in the development lifecycle, moving beyond traditional security approaches that often 'bolt on' security at the end. The conversation covers various entry points, including physical ports, wireless connections, sloppy coding, and supply chain vulnerabilities, highlighting the necessity of considering the device's operational environment, such as hostile hospital networks versus more secure home networks. The hosts delve into prominent threat modeling frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), explaining how each element is crucial for identifying different categories of threats, particularly information disclosure, tampering, and denial of service in medical contexts. They differentiate threat modeling from penetration testing, advocating for a white box comprehensive approach over a black box 'realistic' one, especially in medical devices where patient lives are at stake. The episode concludes by stressing the importance of continuous, iterative threat modeling throughout the product lifecycle to build inherently secure medical devices, drawing parallels to real-world security assessments.
Key takeaways from this episode
Threat modeling should be initiated early and conducted often in the medical device development lifecycle, ideally during the requirements phase, rather than attempting to add security as an afterthought.
Adopting an attacker's perspective to identify all potential entry points, including physical interfaces, wireless connections, coding practices, and supply chain components, is crucial for comprehensive threat modeling.
The operational environment of a medical device, such as a hospital network versus a home network, significantly influences the threat landscape and must be a key consideration in threat modeling.
Frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) provide a structured approach to categorize and address potential threats, helping to identify remediation paths and build more secure products.
In medical devices, information disclosure, tampering, and denial of service are often the most impactful threat categories due to their direct implications for patient safety and data privacy.
A comprehensive, white box approach to penetration testing, informed by thorough threat modeling, is generally preferred for medical devices over a black box approach due to the high stakes involved with patient well-being.
Vulnerability scans are valuable for identifying missing patches and configuration issues across a broad scope, while penetration tests offer a deeper, more accurate depiction of risk by chaining vulnerabilities to assess holistic impact.
Security is not a one-time achievement but an ongoing process that requires continuous assessment and adaptation to evolving threats and device applications.
Threat modeling should consider the entire 'attack tree,' identifying not just initial vulnerabilities but also subsequent actions an adversary could take and implementing layered defenses at each stage.
Analyses of threat modeling with real-world scenarios, such as the risks in one's home environment or encounters with sharks while free diving, can help illustrate the constant need for risk assessment and preparedness.
Hi, welcome back to The Med Device Cyber Podcast. Today, we're going to be talking about threat modeling and how attackers look at a system and how they can break into the system through what we call entry points, which is really what we're doing where we're modeling the threats. It's a very important and often confusing topic for people.
I'm Christian Espinosa, the founder of Blue Goat Cyber. We have our co-host here Trevor as well, and Trevor is our CTO and Director of MedTech Cybersecurity. So Trevor, you want to dive in and kind of explain or define? Well, maybe let me ask you how you're doing and where you are today in the world before we dive right into it.
Yeah, I'm doing good today. I think we've both been on a travel kick for the past about six months, and so I'm hoping to close it out soon, but I'm out here in San Francisco for JP Morgan week. Okay, awesome. Yeah, I'm actually at my home base in Tempe, Arizona. I'll be heading to Vegas on Saturday and driving some fast cars there and doing some daring and doing some dangerous things, you know, like I like to do. I went shooting yesterday. I have a new gun I wanted to dial in the scope on and stuff. So yeah, there you go. I'm prepared for the threats myself. I look at all the entry points of my house and I'm ready in case somebody tries to break in.
So yeah, I think it's funny you mention, you know, Tempe as your home base. My home base is normally Flagstaff, but with how much I end up traveling, you know how your phone will prompt you and say, "Oh, do you want to set your new home location?" For me, that was the Dallas-Fort Worth airport when I got that notification. That's funny. I always get delayed in Dallas. I don't like flying to Dallas. There's always a storm every time I go there. It seems like they lost my bag last week, and so I came here with pretty much nothing and just had to go get all new clothes.
Yeah, well, my wife would enjoy that opportunity to buy new clothes, new shoes, and new clothes every opportunity, every chance she gets. You know, it's like we need more closet space. All right, so let's dive into threat modeling. So what exactly is threat modeling? How would you define it?
So threat modeling is trying to understand what can really happen with a device. You're stepping back and getting into the headspace of an attacker, looking at a medical device, an application, a network, whatever it may be, and trying to come up with hypothetical situations of what you can do to essentially try to compromise the system. Really, this is in an effort to try to find initial remediation paths or mitigations, not necessarily remediation since it isn't a proven problem yet, but it helps you build a secure product and build a secure network. It should be done early and often. It shouldn't be done as a one-time thing, but it's something that can help you identify problem points early on and let you design them out of the system.
I hear that quite frequently that we should do things early and often. Is that the best practice or is that what people actually do based on our experience? Well, those are two separate questions. Is it the best practice? Yes, security is not something you can finish with. It's something you need to start with. Is that what happens? No.
So more often than not, when we're interacting with a medical device, and it's very easy for this to happen, you know, cybersecurity isn't at the forefront of most companies' minds, especially not a medical company. So it can get pushed to the back or it can slip through the cracks, and cybersecurity isn't the initial focus. And then when it comes time for submission to the FDA and getting regulatory approval, that's when these cracks can start to expand a little bit, and it becomes apparent what was missed. So very often in practice, that's what we end up seeing is manufacturers are not conscious of cybersecurity early enough, and they try to essentially 'bolt it on' at the end, which isn't always a good solution.
Yeah, so you're saying early on in the software development, we should be considering cybersecurity and doing some of that threat modeling as we're coming up with the requirements before we even start the design, it sounds correct. Yeah, we'll go into that requirements phase because I think this is the perfect time to really talk about threat modeling once you understand what your product needs to do. So we'll say that you have a pacemaker. You're looking at what it's supposed to do from a functional perspective. You know, you look at what it needs to do from a non-functional perspective, so anything around security, anything around the internal flows, and then that lets you figure out what can go wrong there.