Governance & Risk Management , Healthcare , Industry Specific
Medical Device Cyberthreat Modeling: Top Considerations
Threat Modeling Expert Adam Shostack on Critical Mistakes to AvoidBesides not doing cyberthreat modeling at all, some the biggest mistakes medical device manufacturers can make are starting the modeling process too late in the development phase or using it simply as a "paper weight exercise," said threat modeling expert Adam Shostack of Shostack & Associates.
"I like to think of threat modeling as the 'measure twice, cut once' of cybersecurity," Shostack said.
"If you incorporate a large language model into your MRI machine to read brain scans, you're going to spend a lot of money training that machine learning model, incorporating it, testing it - and then you're going to discover how badly it does," he told Information Security Media Group.
"Doing your threat modeling late - rather than at the beginning when everything is on a whiteboard or on a cocktail napkin to avoid the mistakes that are going to happen - that's the big mistake people make."
Starting threat modeling at the very beginning of the medical device development process helps provide more choices for possible mitigations as developers gain a better understanding of the threats, Shostack said.
Among the major risks related to medical devices is "balancing innovation, speed and security," he said. "The thing I'm spending a lot of my time on is: How do we make threat modeling more effective per unit of energy we put into it?" he said.
That includes making it simpler to track all the medical device threats identified - and making it easier to find solutions to all those threats "so that we can deliver better treatments to people sooner," Shostack said. "That's a really important engineering challenge we should all keep our eyes on."
In this audio interview with Information Security Media Group (see audio link below photo), Shostack also discussed:
- Tips for getting started on medical device threat modeling;
- Threat modeling considerations for artificial intelligence-enabled medical devices and why he's skeptical about machine learning-enabled medical devices;
- Threat modeling topics under discussion at an upcoming workshop on medical device cybersecurity in New Orleans hosted by Northeastern University's Archimedes Center for Health Care and Medical Device Cybersecurity, where he'll be presenting.
Shostack is the author of several books, including "Threat Modeling: Designing for Security." He's a leading expert on threat modeling, a consultant, expert witness and game designer with decades of experience delivering security.