Attacks and Vulnerabilities
Medical
News
Threat Landscape

MITRE releases playbook for threat modeling across medical device ecosystem

December 01, 2021
threat modeling

MITRE released guidance to the healthcare sector in the form of a playbook to increase knowledge of threat modeling throughout the medical device ecosystem. The organization said on Tuesday that it seeks to use the playbook to strengthen the cybersecurity and safety of medical devices.

Titled ‘Playbook for Threat Modeling Medical Devices,’ the MITRE playbook provides insights on how an organization can develop or evolve an approach to creating threat models in a systematic and consistent way to achieve its security objectives.

Medical devices have become increasingly complex systems that exist in connected ecosystems of healthcare delivery, according to MITRE. Standard security controls can ensure some baseline security capabilities, but they fail to address the myriad of ways medical devices are used, interface with the healthcare ecosystem, and how security risks could result in unacceptable safety issues.

MITRE operates as a not-for-profit concern and works in the public interest across federal, state and local governments, and industry and academia. It delivers ideas across a range of areas, including artificial intelligence, intuitive data science, quantum information science, health informatics, space security, policy, and economic expertise, trustworthy autonomy, cyber threat sharing, and cyber resilience.

The MITRE resource is intended to serve as a resource for developing or evolving a threat modeling practice. The playbook is not prescriptive in that it does not describe one approach to be used when threat modeling medical devices but focuses on general threat modeling principles. In addition, the playbook provides insights on how an organization can develop or evolve an approach to creating threat models systematically and consistently to achieve those objectives.

The playbook brings in threat modeling through the ‘four questions framework,’ which describes several threat modeling methodologies and how they can be used within the framework. MITRE presented an end-to-end fictional medical device example, along with additional examples used to highlight specific considerations when threat modeling medical devices. It also looks into how threat modeling interacts with security and safety risk management and provides some strategies for integrating threat modeling into business processes based on current stakeholder practices. 

When threat modeling medical devices, it is essential to consider harms beyond physical injury and patient harm that could be directly caused by the device, MITRE said. Since medical devices operate in networked clinical environments, an attack against a device may lead to a broader set of harms, including data breaches, disruption of clinical operations, and opportunities for pivoting into a hospital’s IT infrastructure. 

The MITRE guidance identifies that threat modeling is a ‘team sport’ that is most effective when conducted by cross-disciplinary teams, bringing together expertise in traditional medical device development (safety perspective) and cybersecurity product development (security perspective). 

Threat modeling takes place throughout the lifecycle. Threat modeling begins at the concept/early design when the greatest flexibility exists to impact the product’s design to improve its safety and security, according to MITRE. But threat modeling does not stop there since it is a process that is carried throughout development and deployment. Best practices encourage organizations to continually update their threat models based on what is learned from development testing and validation and then from feedback, field monitoring, and complaint handling postmarket. 

Threat modeling also zeroes in on threats that could adversely impact the safety and security of a medical device, the guidance said. Threat modeling is an information-generating process that informs quality processes activities. Creating a threat model is not a paperwork exercise to check a compliance box. Instead, the threat model informs decisions about design, development, testing, and postmarket activities. It serves to document those decisions for internal stakeholders, customers, and regulatory reviewers, it added.

The MITRE resource follows data released by the U.S. Department of Health & Human Services’ Health Sector Cybersecurity Coordination Center (HC3) in October. A total of 68 ransomware incidents impacting healthcare organizations worldwide occurred during the July-September quarter. HC3 found that about 63 percent of these ransomware incidents affected the U.S. health sector, while 37 percent targeted healthcare organizations outside the U.S. 

The top countries impacted by these ransomware incidents in the health sector outside the U.S. included France, Brazil, Thailand, Australia, and Italy, according to the HC3. The agency said that ransomware remains a major threat to the health sector worldwide, as several healthcare organizations operate legacy technology with limited security resources. Health or medical clinics continue to be the most frequently affected sub-industry by ransomware, followed by healthcare industry services and hospitals. 

The HC3 CTI team assesses that these trends are likely to continue through 2021. It also detected ten major ransomware groups affecting healthcare organizations, as well as the sub-industries within the healthcare sector impacted most by ransomware for the third quarter this year.

In light of the HC3 data, industrial cybersecurity company Radiflow announced that healthcare facilities have emerged as prime targets for hackers, given their legacy devices and wealth of patient data. 

“With the high cost of each attack, healthcare providers must protect facilities so they can safely deliver excellent care without interruption,” Ilan Barda, CEO of Radiflow, said in a media statement. “Accessing patient data is worrisome, but the idea of hackers gaining access to components in a specific ward or even a single operating room is alarming,” he added. 

CISOs at facilities should focus on both IT systems and OT environments, starting from risk assessment to threat monitoring. There should be continuous holistic risk management for more mature organizations that combine both IT and OT systems, according to Barda.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings