CyberMed
ServicesSoftware DHFCyberSprintEventsResourcesGuideAboutContactBook a CallGet The Guide
← All guide chapters

Chapter 3: Security by Design · Section 3.6

Threat Modeling: Thinking Like an Attacker

3.6.1 What Is Threat Modeling?

Threat modeling is a structured process to:

  • Identify what could go wrong
  • Understand how attacks might happen
  • Prioritize based on risk
  • Design appropriate defenses

Think of it as a "what if" exercise where you systematically explore how someone might compromise your device.

3.6.2 The Threat Modeling Process

The MITRE Playbook for Threat Modeling Medical Devices outlines four key questions:

  1. What are we working on? (System understanding)
  2. What can go wrong? (Threat identification)
  3. What are we going to do about it? (Mitigation planning)
  4. Did we do a good job? (Validation)

3.6.3 Creating Data Flow Diagrams (DFDs)

DFDs are the foundation of threat modeling. They show:

  • System components (processes, data stores)
  • Data flows between components
  • External entities
  • Trust boundaries

DFD Elements

Processes (Circles):

  • Software components
  • Services
  • Applications

Data Stores (Parallel lines):

  • Databases
  • Files
  • Caches
  • Logs

External Entities (Rectangles):

  • Users
  • Other systems
  • Networks
  • Attackers

Data Flows (Arrows):

  • Communication paths
  • Data movement
  • Control signals

Trust Boundaries (Dashed boxes):

  • Different privilege levels
  • Network segments
  • Physical boundaries

3.6.4 Using STRIDE for Threat Identification

STRIDE is a systematic way to identify threats:

Spoofing - Pretending to be someone/something else

  • Fake user credentials
  • Impersonating a trusted system
  • False sensor readings

Tampering - Modifying data or code

  • Changing configuration
  • Altering patient data
  • Modifying software

Repudiation - Denying actions occurred

  • Deleting audit logs
  • Claiming false actions
  • Avoiding accountability

Information Disclosure - Exposing confidential data

  • Patient data leaks
  • Credential theft
  • System information exposure

Denial of Service - Making system unavailable

  • Crashing the device
  • Flooding with requests
  • Resource exhaustion

Elevation of Privilege - Gaining unauthorized access

  • User to admin escalation
  • Escaping sandboxes
  • Bypassing access controls

3.6.5 Threat Modeling in Practice

Let's walk through a simplified example:

System: Insulin pump with smartphone app

Step 1: Create DFD

Step 2: Identify Trust Boundaries

  • Between phone and pump
  • Between phone and cloud
  • Between pump and sensor

Step 3: Apply STRIDE

Spoofing threats:

  • Fake app pretending to be legitimate
  • Rogue pump impersonating real device

Tampering threats:

  • Modified commands changing insulin dose
  • Altered glucose readings

Information Disclosure:

  • Bluetooth sniffing revealing patient data
  • Cloud breach exposing treatment history

Step 4: Prioritize Threats

  • Tampering with dose: Critical (could kill patient)
  • Information disclosure: High (privacy violation)
  • Spoofing app: Medium (depends on implementation)

See how your device measures up

Take the free FDA 524B readiness assessment and get a personalized gap report covering this topic and more.

Check Your Readiness