Episode 3 · February 18, 2025 · 28m listen · 5,210 words · ~26 min read
Advanced Threat Modeling in Medical Devices | Ep. 11 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 3 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
In this episode of The Med Device Cyber Podcast, hosts Christian Espinosa, founder of Blue Goat Cyber, and Trevor Slattery, the company's CTO, provide a comprehensive introduction to the concept of threat modeling in the context of medical device cybersecurity. They define threat modeling as a proactive process of adopting an attacker's mindset to systematically identify and analyze potential threats, vulnerabilities, and entry points within a system. This crucial practice allows developers to build security into a device from the very beginning of its lifecycle. The hosts emphasize that threat modeling is not a one-time activity but should be conducted 'early and often,' starting from the initial requirements and design phases, rather than being treated as an afterthought or a last-minute compliance check before regulatory submission to bodies like the FDA. They argue that this 'bolt-on' approach to security is far less effective and more costly to remediate than designing for security from the ground up.
The discussion delves into the practical aspects of threat modeling, starting with the identification of 'entry points'—the various ways an attacker could gain access to a system. Espinosa and Slattery clarify that these are not limited to physical ports like USB or wireless interfaces like Bluetooth and Wi-Fi, but also include non-physical avenues such as software vulnerabilities in custom code and, critically, weaknesses within the supply chain, like compromised third-party libraries. The hosts introduce established frameworks to structure the threat modeling process. They highlight the MITRE Playbook for Threat Modeling Medical Devices and its four foundational questions: What are you building? What can go wrong? What are you going to do about it? And did you do a good job? To address 'what can go wrong,' they break down the widely-used STRIDE framework, which categorizes threats into Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. They explain how the specific risks and priorities shift depending on the medical device's function; for instance, Information Disclosure is the primary concern for an Electronic Medical Record (EMR) system, whereas Denial of Service or Tampering is most critical for a life-support machine, where patient safety is directly at risk.
Key takeaways from this episode
Threat modeling is the process of proactively identifying potential threats by thinking like an attacker to build more secure systems from the ground up.
For maximum effectiveness, threat modeling should be integrated 'early and often' into the software development lifecycle, starting with the requirements phase.
Attack entry points include not only physical and wireless interfaces but also software vulnerabilities and weaknesses in the supply chain, such as third-party code.
Frameworks like STRIDE help systematically categorize threats by their potential outcomes, such as Tampering, Information Disclosure, or Denial of Service.
The most critical security threats are context-dependent; a life-support device's biggest risk is denial of service, while a data management system's is information disclosure.
A penetration test provides a more holistic view of risk than a vulnerability scan by actively chaining vulnerabilities to demonstrate real-world impact.
Cybersecurity for medical devices cannot be an afterthought; security controls must be designed in, not 'bolted on' at the end of development.
Understanding a device's intended use environment, whether it's a relatively secure home network or a hostile hospital network, is crucial for effective threat modeling.
Full episode transcript
Page 1 of 7· Paragraphs 1 - 19
Hi, welcome back to the Med device Cyber podcast. Today we're going to be talking about threat modeling and how attackers look at a system and how they can break into the system through what we call entry points, which is really what we're doing when we're modeling the threats. And it's a very important and often confusing topic for people.
I'm Christian Espinosa, the founder of Blue Goat Cyber. We have our co-host here Trevor as well. And Trevor is our CTO and director of Medtech Cyber Security.
So, Trevor you want to dive in and kind of explain or define, uh well maybe let me ask you how you're doing and where where where you are you today in the world before before we dive right into it.
Trevor: Yeah, I'm doing good today. I think we've both been on a travel kick for the past about six months and so uh I'm hoping to close it out soon, but I'm out here in San Francisco for JP Morgan week.
Christian: Okay, awesome. Yeah, I'm in actually at my home base in Tempe, Arizona. I'll be heading to Vegas on Saturday uh and driving some fast cars there and doing some karting and doing some dangerous things, you know, like I like to do. Went shooting yesterday. I have a a new gun I wanted to dial in the scope on and stuff, so.
Trevor: Yeah. There you go.
Christian: I'm uh, you know, prepared for the threats myself. I look at all the entry points of my house and I'm ready, ready in case somebody tries to break in. So.
Trevor: Yeah, I think it's funny you mention, you know, Tempe as your home base. Like my home base normally Flagstaff, but uh, with how much I end up traveling, you know how your phone will prompt you and say, "Oh, do you want to set your new home location?" For me that was the Dallas Fort Worth Airport when I got that notification.
Christian: That's funny. I always get delayed in Dallas. I I don't like flying through Dallas. There's always a storm every time I go there it seems like.
Trevor: They lost my bag last week, and so I came here with pretty much nothing and just had to go get all new clothes.
Christian: Yeah, well, uh, my wife now would enjoy that opportunity of buying new clothes. Buy new shoes and new clothes. Every chance she gets, you know. It's like we need more closet space.
All right, so let's dive into threat modeling. So what exactly is threat modeling? How would you define it?
Trevor: So threat modeling is trying to understand what can really happen with a device. Um, you're stepping back and getting into the head space of an attacker, looking at a medical device, an application, a network, whatever it may be and trying to come up with hypothetical situations of what you can do to essentially try to compromise the system.
Um, really this is in an effort to try to find initial remediation paths or mitigations. Not necessarily remediations since it isn't a proven problem yet. But it helps you build a secure product and build a secure network. Uh it should be done early and often. It shouldn't be done as a one time thing, but it's something that can help you identify problem points early on and let you design them out of the system.
Christian: I hear that quite frequently that we should do things early and often. Is that the best practice or is that what people actually do based on, you know, our experience?
Trevor: Well, those are two separate questions. Uh, is it the best practice? Yes. Security is not something you can finish with, it's something you need to start with. Is that what happens? No.
So more often than not when we're interacting with a medical device and it's very easy for this to happen, you know, cyber security isn't at the forefront of most company's minds, especially not a medical company. So, it can get pushed to the back or it can slip through the cracks and cyber security isn't the initial focus. And then when comes time for submission to the FDA and getting regulatory approval, that's when these cracks can start to expand a little bit and it becomes apparent what was missed.
So, very often in practice, that's what we end up seeing is manufacturers are not conscious of cyber security early enough and they try to essentially bolt it on at the end, which isn't always a good solution.
Christian: Yeah, so you're saying early on in the software development, we should be considering cyber security and doing some of that threat modeling as we're coming up with the requirements uh before even start the design. It sounds like.