Abstract
Modern medical devices (MMDs) are a rapidly growing field of medical technology, and recent advances have allowed them to monitor and manage patients’ health remotely. As these devices become more connected in order to enhance the delivery of patient care, the concerns surrounding security, privacy, and safety are also increasing. To effectively address these concerns, “shift-left security”—which involves addressing security risks as early as possible—is becoming increasingly important. To facilitate it, threat modeling must be implemented as the first step. While various threat modeling methodologies exist, MMDs need a tailored one that can take into account the safety of patients and the complexity of a typical MMD, which contains multiple sensors and actuators. Therefore, we present a new threat modeling methodology—MEDICALHARM—tailored to identifying threats in MMD systems. MEDICALHARM delivers a holistic approach by combining threat and risk analysis under the same scheme. It specifically articulates safety threats along with security and privacy threats. Furthermore, it offers an algorithmic scheme to enable non-security experts (engineers and developers) to easily participate in the threat modeling process. To illustrate its benefits, we performed a threat modeling exercise using MEDICALHARM on a Deep Brain Stimulation device and provided an exhaustive threats document. Then, we conducted a survey among cybersecurity experts in the MMD domain to assess the MEDICALHARM. The survey results reveal positive feedback from participants, especially regarding the integration of cybersecurity, privacy, and safety, its novel trust level categorization, and the documentation strategy. The insights obtained from the questionnaire underscore MEDICALHARM’s potential as a structured, inclusive threat model methodology. Then, we compared the results of this exercise with another well-known threat model scheme (STRIDE) to demonstrate MEDICALHARM’s distinctive features.
Similar content being viewed by others
Data availibility
The data that support the findings of this study are not openly available due to reasons of sensitivity and are available from the corresponding author upon reasonable request. Data are located in a controlled access database at Marquette University.
Notes
MEDICALHARM stands for Modification Breach, Exposure of Sensitive or Personal Data, Denial of Service, Impact of Threat, Component Threat, Access Breach, Likelihood of Threat, Harm to Patient, Assumptions and Constraints, Relevant In-depth Threat, Monitoring and Logging.
MEDCARM stands for Modification Breach, Exposure of Sensitive or Personal Data, Denial of Service, Component Threat, Access Breach, Relevant In-depth Threat, Monitoring and Logging.
H stands for Harm to Patient.
LI stands for Likelihood of Threat, and Impact of Threat.
LINDDUN stands for Likeability, Identifiability, Non-repudiation, Detectability, Information Conflict of interest, Content Unawareness, and Policy or Consent Noncompliance.
MEDCARM is an acronym that represents the cybersecurity and privacy part of MEDICALHARM mnemonics and stands for Modification Breach, Exposure of Sensitive or Personal Data, Denial of Service, Component Threat, Access Breach, Relevant In-depth Threat, Monitoring and Logging.
H is an acronym that represents the safety part of MEDICALHARM mnemonics and stands for Harm to Patient.
LI is an acronym that represents the risk assessment part of MEDICALHARM mnemonics and stands for Likelihood of Threat, and Impact of Threat.
References
Joung, Y.-H.: Development of implantable medical devices: from an engineering perspective. Int. Neurourol. J. 17(3), 98 (2013)
AlTawy, R., Youssef, A.M.: Security tradeoffs in cyber physical systems: a case study survey on implantable medical devices. IEEE Access 4, 959–979 (2016)
Kwarteng, E., Cebe, M.: A survey on security issues in modern implantable devices: solutions and future issues. Smart Health 100295 (2022)
Deloitte: 2022 Global Health Care Outlook. https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Life-Sciences-Health-Care/gx-health-care-outlook-Final.pdf. Accessed 16 Aug 2022
Vakhter, V., Soysal, B., Schaumont, P., Guler, U.: Security for emerging miniaturized wireless biomedical devices: threat modeling with application to case studies. arXiv preprint arXiv:2105.05937 (2021)
Moe, M.E.G.: Uncovering vulnerabilities in pacemakers. https://www.mnemonic.io/resources/blog/uncovering-vulnerabilities-in-pacemakers/. Accessed 23 Oct 2022
FDA: Medtronic recalls remote controllers used with paradigm and 508 MiniMed insulin pumps for potential cybersecurity risks. https://www.fda.gov/medical-devices/medical-device-recalls/medtronic-recalls-remote-controllers-used-paradigm-and-508-minimed-insulin-pumps-potential. Accessed 23 Oct 2022
FDA: Cybersecurity news. https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity. Accessed 23 Oct 2022
Manikandan, R., Sathyadevan, S.: Medical implant communication systems (MICS) threat modelling. In: 2021 2nd International Conference on Secure Cyber Computing and Communications (ICSCCC), pp. 518–523 (2021)
Halperin, D., et al.: Pacemakers and implantable cardiac defibrillators: software radio attacks and zero-power defenses. In: 2008 IEEE Symposium on Security and Privacy (SP 2008), pp. 129–142 (2008)
Sayegh, E.: Not an afterthought: security by design. https://www.forbes.com/sites/emilsayegh/2023/05/16/not-an-afterthought-security-by-design/?sh=120e2e831271. Accessed 7 Nov 2023
CheckPoint: What is shift left security? https://www.checkpoint.com/cyber-hub/cloud-security/what-is-shift-left-security/. Accessed 24 Oct 2022
Center, G.C.A.: DevOps tech: shifting left on security. https://cloud.google.com/architecture/devops/devops-tech-shifting-left-on-security. Accessed 24 Oct 2022
Camara, C., Pens-Lopez, P., Tapiador, J.E.: Security and privacy issues in implantable medical devices: a comprehensive survey. J. Biomed. Inform. Rev. 55, 272–289 (2015). https://doi.org/10.1016/j.jbi.2015.04.007. (in English)
NIST: SP 800-30 Rev 1. Guide for Conducting Risk Assessments. https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final. Accessed 23 Aug 2022
Bochniewicz, E., Chase, M., Coley, S.C., Wallace, K., Weir, M., Zuk, M.: Playbook for Threat Modeling Medical Devices. MITRE and the Medical Device Innovation Consortium (MDIC) (2021)
FDA: Content of premarket submissions for management of cybersecurity in medical devices." https://www.fda.gov/regulatory-information/search-fda-guidance-documents/content-premarket-submissions-management-cybersecurity-medical-devices. Accessed 16 Aug 2022
Forbes: How do we close the skills gap in the cybersecurity industry? https://www.forbes.com/sites/forbesbusinesscouncil/2023/02/28/how-do-we-close-the-skills-gap-in-the-cybersecurity-industry/?sh=490e5438e178. Accessed 23 June 2023
CISA: Medical devices hard-coded passwords. https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01. Accessed 23 June 2023
Shostack, A.: Experiences threat modeling at Microsoft. MODSEC@ MoDELS 2008, 35 (2008)
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir. Eng. 16(1), 3–32 (2011)
Hussain, S., Kamal, A., Ahmad, S., Rasool, G., Iqbal, S.: Threat modelling methodologies: a survey. Sci. Int. (Lahore) 26(4), 1607–1609 (2014)
Siddiqi, M.A., Seepers, R.M., Hamad, M., Prevelakis, V., Strydis, C.: Attack-tree-based threat modeling of medical implants. In: PROOFS@ CHES, pp. 32–49 (2018)
Shostack, A.: Threat Modeling Designing for Security. John Wiley & Sons, Inc, London (2014)
LeBlanc, D.: DREADFUL. In: DREADFUL, (ed.) https://docs.microsoft.com/en-us/archive/blogs/david_leblanc/dreadful: Microsoft, p. Microsoft Documentation (2007)
Peeters, J.: Agile security requirements engineering. In: Symposium on Requirements Engineering for Information Security, vol. 12 (2005)
Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)
Mitre.: MITRE ATT &CK® Matrix. https://attack.mitre.org/. Accessed 3 Aug 2022
Van Palm, G., Legay, A.: Threat modeling with attack-defense trees
Sodiya, A.S., Onashoga, S.A., Oladunjoye, B.A.: Threat modeling using fuzzy logic paradigm. Inf. Sci. Int. J. Emerg. Transdiscipl. 4(1), 53–61 (2007)
den Braber, F., Dimitrakos, T., Gran, B.A., Lund, M.S., Stolen, K., Aagedal, J.O.: The CORAS methodology: model-based risk assessment using UML and UP. In: UML and the Unified Process: IGI Global, pp. 332–357 (2003)
Conklin, L.: Threat modeling process. https://owasp.org/www-community/Threat_Modeling_Process#determine-and-rank-threats. Accessed 23 Jan 2023
Crotty, J., Daniel, E.: Cyber threat: its origins and consequence and the use of qualitative and quantitative methods in cyber risk assessment. Appl. Comput. Inform. Ahead-of-print (2022)
FIRST: Common vulnerability scoring system version 4.0: specification document. https://www.first.org/cvss/v4.0/specification-document. Accessed 14 June 2023
FIRST: Common vulnerability scoring system v3.1 specification document. https://www.first.org/cvss/v3.1/specification-document. Accessed 16 June 2023
FIRST: Common vulnerability scoring system (CVSS-SIG)—CVSS v4.0 calculator—public preview. https://www.first.org/cvss/calculator/4.0. Accessed 16 June 2023
FIRST: Common vulnerability scoring system version 3.1 calculator. https://www.first.org/cvss/calculator/3.1. Accessed 16 June 2023
Kwarteng, E., Cebe, M.: "MEDICALHARM—a threat modeling designed for modern medical devices. In: 22nd IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Exeter UK (2023)
Nishihara, S., Shinmen, N., Ebihara, T., Mizutani, K., Wakatsuki, N.: Design of secure near-field communication for smartphones using sound and vibration. In: 2017 IEEE 6th Global Conference on Consumer Electronics (GCCE), pp. 1–4 (2017)
Singh, S.U., et al.: Advanced wearable biosensors for the detection of body fluids and exhaled breath by graphene. Microchim. Acta 189(6), 236 (2022)
Microsoft: What are the Microsoft SDL practices? https://www.microsoft.com/en-us/securityengineering/sdl/practices. Accessed 24 Oct 2022
Xiong, W., Lagerström, R.: Threat modeling—a systematic literature review. Comput. Secur. 84, 53–69 (2019)
Dhillon, D.: Developer-driven threat modeling: lessons learned in the trenches. IEEE Secur. Privacy 9(4), 41–47 (2011)
Frydman, M., Ruiz, G., Heymann, E., César, E., Miller, B.P.: Automating risk analysis of software design models. Sci. World J. 2014 (2014)
Dahbul, R.N., Lim, C., Purnama, J.: Enhancing honeypot deception capability through network service fingerprinting. J. Phys. Conf. Ser. 801(1), 012057 (2017)
Baquero, A.O., Kornecki, A.J., Zalewski, J.: Threat modeling for aviation computer security. Crosstalk 28(6), 21–27 (2015)
Marback, A., Do, H., He, K., Kondamarri, S., Xu, D.: A threat model-based approach to security testing. Softw. Pract. Exp. 43(2), 241–258 (2013)
Shevchenko, N., Chick, T.A., O’Riordan, P., Scanlon, T.P., Woody, C.: Threat modeling: a summary of available methods (2018)
Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead. Issues Inf. Warf. Secur. Res. 1(1), 80 (2011)
Kim, D.-W., Choi, J.-Y., Han, K.-H.: Medical device safety management using cybersecurity risk analysis. IEEE Access, 8
Ngamboé, M., Berthier, P., Ammari, N., Dyrda, K., Fernandez, J.M.: Risk assessment of cyber-attacks on telemetry-enabled cardiac implantable electronic devices (CIED). Int. J. Inf. Secur. 20, 621–645 (2021)
Kopell, B.H., Greenberg, B., Rezai, A.R.: Deep brain stimulation for psychiatric disorders. J. Clin. Neurophysiol. 21(1), 51–67 (2004)
UcedaVélez, T.: Threat modeling w/pasta: risk centric threat modeling case studies (2017)
Ingalsbe, J.A., Kunimatsu, L., Baeten, T., Mead, N.R.: Threat modeling: diving into the deep end. IEEE Softw. 25(1), 28–34 (2008)
H-ISAC: About health information sharing and analysis center. https://h-isac.org/about-h-isac/. Accessed 5 July 2023
LinkedIn: Welcome to your Professional community. https://www.linkedin.com/. Accessed 5 July 2023
Qualtrics: Build technology that closes experience gaps. https://www.qualtrics.com/about/. Accessed 5 July 2023
Advisories, O.S.: OpenStack security advisories calibration. https://wiki.openstack.org/wiki/Security/OSSA-Metrics#Calibration. Accessed 19 June 2023
MSDN, M.: Do you use DREAD as it is? http://social.msdn.microsoft.com/Forums/en-US/c601e0ca-5f38-4a07-8a46-40e4adcbc293/do-you-use-dread-as-it-is?forum=sdlprocess. Accessed 19 June 2023
Wikipedia: DREAD (risk assessment model). https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)#cite_note-2. Accessed 19 June 2023
Acknowledgements
We are deeply grateful to Dr. Zimmer Michael for his invaluable input into the survey development. His insights and expertise were instrumental in creating the questionnaire for this study. We would also like to thank Dr. Jamila Kwarteng for supporting our data analysis. We thank our participants for being generous with their time and feedback to help us evaluate and improve MEDICALHARM. This research was internally funded and did not receive any specific grant from other funding agencies.
Funding
The authors did not receive support from any organization for the submitted work. The authors declare they have no financial interests.
Author information
Authors and Affiliations
Contributions
All authors contributed to the study’s conception and design. Material preparation, data collection, and analysis were performed by Emmanuel Kwarteng. The first draft of the manuscript was by Emmanuel Kwarteng and all authors commented, reviewed, and updated the manuscript. All authors jointly planned, reviewed, and approved the manuscript.
Corresponding author
Ethics declarations
Conflict of interest
The authors have no competing interests to declare that are relevant to the content of this article.
Ethical approval
The study was approved by the Marquette University Institutional Review Board (IRB). All respondents who participated in the evaluation of the methodology and responded to the survey were at least 18 years old. Potential participants were provided with written information on the first page and gave their consent to participate in the evaluation and the survey by clicking on the next button before proceeding.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix
Appendix
1.1 Pre-assessment questionnaire questions
Q1 How would you describe your familiarity with threat modeling?
-
\(\circ \) Very familiar
-
\(\circ \) Somewhat familiar
-
\(\circ \) Not very familiar
-
\(\circ \) Not at all familiar
-
\(\circ \) Not Applicable
Skip To: End of Survey If Q2 = Not Applicable
Skip To: End of Survey If Q2 = Not at all familiar
Q2 How often do you participate in threat modeling?
-
\(\circ \) Always: I always threat model every time I develop or make changes to a system or application
-
\(\circ \) Frequently: I threat model on a regular basis, such as during software development or as part of an incident response plan
-
\(\circ \) Occasionally: I threat model on an occasional basis, such as before making a significant change to a system or application
-
\(\circ \) Rarely: I have threat modeled a few times, but it’s not a regular practice
-
\(\circ \) Never: I have never threat modeled before
Skip To: End of Survey If Q3 = Never: I have never threat modeled before
1.2 MEDICALHARM evaluation questionnaire questions
Q1. At first glance, how easy was it to understand or memorize the MEDICALHARM acronyms?
-
\(\circ \) Extremely easy
-
\(\circ \) Somewhat easy
-
\(\circ \) Neither easy nor difficult
-
\(\circ \) Somewhat difficult
-
\(\circ \) Extremely difficult
Q2. At first glance, what do you think of the idea of combining security threats and associated risk evaluation under the same umbrella?
-
\(\circ \) I strongly like it. It seems like a valuable approach
-
\(\circ \) I somewhat like it. I see potential
-
\(\circ \) I’m neutral. I neither like nor dislike the idea at this point.
-
\(\circ \) I somewhat dislike it. I have concerns or reservations
-
\(\circ \) I strongly dislike it
Q3. How do you evaluate the idea of categorizing components into different trust zones in assisting with threat identification as a first impression?
-
\(\circ \) I strongly like it. It seems like a valuable approach
-
\(\circ \) I somewhat like it. I see potential
-
\(\circ \) I’m neutral. I neither like nor dislike the idea at this point.
-
\(\circ \) I somewhat dislike it. I have concerns or reservations
-
\(\circ \) I strongly dislike it
Q4. How effective do you think the MEDICALHARM model’s unique Threat Documentation is in providing clear and comprehensive insights into various threats and their corresponding risk assessment?
-
\(\circ \) I strongly like it. It seems like a valuable approach
-
\(\circ \) I somewhat like it. I see potential
-
\(\circ \) I’m neutral. I neither like nor dislike the idea at this point.
-
\(\circ \) I somewhat dislike it. I have concerns or reservations
-
\(\circ \) I strongly dislike it
Q5. Have you noticed the acronyms PT (Privacy Threat), CIT (Code Injection Threat), and others in our documentation? These represent subcategories under general threat categories. In our approach, we believe that sub-categorizing the sources of major threats is essential for a comprehensive understanding. For instance, an Access Breach could occur due to a Side Channel Threat or a Code Injection Threat.
Do you agree that this additional categorization will help to identify sources of some threats, such as Side-Channel or Privacy Threats, that could otherwise be overlooked?
-
\(\circ \) I strongly like it. It seems like a valuable approach
-
\(\circ \) I somewhat like it. I see potential
-
\(\circ \) I’m neutral. I neither like nor dislike the idea at this point.
-
\(\circ \) I somewhat dislike it. I have concerns or reservations
-
\(\circ \) I strongly dislike it
Q6. Do you think offering a detailed flow chart will help to identify threats while filling out the MEDICALHARM Threat Documentation?
-
\(\circ \) I strongly like it. It seems like a valuable approach
-
\(\circ \) I somewhat like it. I see potential
-
\(\circ \) I’m neutral. I neither like nor dislike the idea at this point.
-
\(\circ \) I somewhat dislike it. I have concerns or reservations
-
\(\circ \) I strongly dislike it
Q7. Do you think having a step-by-step algorithmic scheme will help experts to create a comprehensive threat analysis?
-
\(\circ \) I strongly like it. It seems like a valuable approach
-
\(\circ \) I somewhat like it. I see potential
-
\(\circ \) I’m neutral. I neither like nor dislike the idea at this point.
-
\(\circ \) I somewhat dislike it. I have concerns or reservations
-
\(\circ \) I strongly dislike it
Q8. Do you like having Mitigations and Controls in Threat Document?
-
\(\circ \) I strongly like it. It seems like a valuable approach
-
\(\circ \) I somewhat like it. I see potential
-
\(\circ \) I’m neutral. I neither like nor dislike the idea at this point.
-
\(\circ \) I somewhat dislike it. I have concerns or reservations
-
\(\circ \) I strongly dislike it
Q9. Our threat model requires a reevaluation of associated risks considering the existing mitigation and controls. We believe that this reevaluation step will lead to a better assessment of risks. Do you agree with this statement?
-
\(\circ \) I strongly like it. It seems like a valuable approach
-
\(\circ \) I somewhat like it. I see potential
-
\(\circ \) I’m neutral. I neither like nor dislike the idea at this point.
-
\(\circ \) I somewhat dislike it. I have concerns or reservations
-
\(\circ \) I strongly dislike it
Q10. Indicate whether you agree or disagree with these statements about the strengths and weaknesses of MEDICALHARM threat modeling methodology you evaluated
Agree | Neutral | Disagree | |
---|---|---|---|
Structured approach to identify threats | \(\circ \) | \(\circ \) | \(\circ \) |
Identify new and previously undiscovered threats during the design | \(\circ \) | \(\circ \) | \(\circ \) |
Evaluate the effectiveness of existing security controls | \(\circ \) | \(\circ \) | \(\circ \) |
Identify in-depth and third-party component threats or areas where additional protection may be needed | \(\circ \) | \(\circ \) | \(\circ \) |
Resource-intensive to implement | \(\circ \) | \(\circ \) | \(\circ \) |
Does not identify relevant threats | \(\circ \) | \(\circ \) | \(\circ \) |
Does not consider and document the constraints of the system | \(\circ \) | \(\circ \) | \(\circ \) |
Does not consider and document assumptions | \(\circ \) | \(\circ \) | \(\circ \) |
Requires specialized skills and knowledge to perform effectively | \(\circ \) | \(\circ \) | \(\circ \) |
Q11. Indicate whether you agree or disagree with these statements about MEDICALHARM threat modeling methodology you evaluated
Agree | Neutral | Disagree | |
---|---|---|---|
The terminology used in the threat model is difficult to understand for non-security experts | \(\circ \) | \(\circ \) | \(\circ \) |
The methodology is time-consuming | \(\circ \) | \(\circ \) | \(\circ \) |
The used threat model causes the listing of the same threats due to overlapping threat categories | \(\circ \) | \(\circ \) | \(\circ \) |
The used threat model mostly identifies only generic and high-level threat | \(\circ \) | \(\circ \) | \(\circ \) |
There is a higher cross-correlational threat such that the elevation of privilege threat assumes that the system has already been spoofed | \(\circ \) | \(\circ \) | \(\circ \) |
The used threat model does not provide a mechanism to assess risks and prioritize identified threats | \(\circ \) | \(\circ \) | \(\circ \) |
The methodology does not consider architectural security decisions | \(\circ \) | \(\circ \) | \(\circ \) |
Higher rate of False Positive | \(\circ \) | \(\circ \) | \(\circ \) |
Higher rate of False Negative | \(\circ \) | \(\circ \) | \(\circ \) |
Generates overwhelmingly high number of threats which becomes a challenge to review | \(\circ \) | \(\circ \) | \(\circ \) |
While using the threat model, it is hard to document the identified threats and corresponding countermeasures for a better overall view | \(\circ \) | \(\circ \) | \(\circ \) |
Q12. In what ways did MEDICALHARM threat modeling methodology help you understand the overall security posture of your system or product?
-
\(\Box \) Identifying vulnerabilities: My methodology helps me identify vulnerabilities in my system or product that could be exploited by attackers.
-
\(\Box \) Prioritizing risks: My methodology helps me prioritize the risks to my system or product based on their likelihood and impact.
-
\(\Box \) Identifying attack vectors: My methodology helps me identify the ways in which attackers could potentially gain access to or exploit my system or product.
-
\(\Box \) Evaluating controls: My methodology helps me evaluate the effectiveness of existing security controls in my system or product.
-
\(\Box \) Understanding the system: My methodology helps me understand the architecture and design of my system or product, which allows me to identify potential weaknesses.
-
\(\Box \) Documenting threats and controls: My methodology helps me document all identified threats and controls.
-
\(\Box \) Other (please specify below)
Q13. Overall, how satisfied or dissatisfied are you with MEDICALHARM threat modeling methodology?
-
\(\circ \) Extremely satisfied
-
\(\circ \) Somewhat satisfied
-
\(\circ \) Neither satisfied nor dissatisfied
-
\(\circ \) Somewhat dissatisfied
-
\(\circ \) Extremely dissatisfied
Q14. What changes, if any, would you like to see improved to MEDICALHARM threat modeling methodology?
NOTE: Please do not enter any proprietary or personal information.
Q15 Did you participate in our previous Threat Modeling Pre-assessment survey?
-
\(\circ \) Yes
-
\(\circ \) No
1.3 STRIDE threat tables
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Kwarteng, E., Cebe, M. MEDICALHARM: A threat modeling designed for modern medical devices and a comprehensive study on effectiveness, user satisfaction, and security perspectives. Int. J. Inf. Secur. (2024). https://doi.org/10.1007/s10207-024-00826-y
Published:
DOI: https://doi.org/10.1007/s10207-024-00826-y