Contact

Enhancing Medical Device Cybersecurity with the STRIDE Threat Model

Back to the blog

By Yanik & Antoine

Cyber attacks are increasing at an alarming rate, generating considerable costs for affected companies, damaging their reputations, and exposing users to serious consequences. Services may become inaccessible, customers’ identities may be stolen, and their personal information may be disclosed.

In the healthcare sector, where the stakes are even higher, cybersecurity is paramount in the development of medical software. A single failure can endanger patients’ lives and expose their confidential data.

For this reason, regulatory authorities place particular importance on the safety of medical devices. This is the case with the Food & Drug Administration (FDA) in the United States, whose mission includes ensuring that software is designed to protect patients and users against malicious use.

Antoine Béland and Yanik Magnan, both Tech Lead software developers at CLEIO, share their expert views on securing medical software. They particularly recommend using the STRIDE threat modeling framework to effectively address risks in this highly sensitive sector.

What is the STRIDE Threat Model?

The STRIDE threat model, developed by Microsoft in 1999, categorizes potential threats into six major groups, which we will explore together.

Spoofing

Spoofing is the act of pretending to be someone else. For example, an attacker might steal a user’s password to log in to their account.

To avoid this, measures must be implemented to ensure that the person logging in is the expected user, thereby guaranteeing authenticity in the system.

Tampering

Tampering involves the malicious modification of data, whether on a hard disk, within a network, or in memory. This occurs, for example, when an attacker intercepts and alters data traveling over the network.

To prevent such actions and ensure system integrity, these modifications must be detectable.

Repudiation

Repudiation involves causing the system to believe that an operation was not performed or that a user is not responsible for it. For example, repudiation can occur when an attacker successfully modifies the system’s audit logs to obscure their activities.

To prevent such scenarios, measures must be implemented to ensure non-repudiation in the system.

Information Disclosure

Information disclosure occurs when an unauthorized user gains access to sensitive information. This can happen if a system is poorly configured, exposing sensitive details to the public, or when an attacker intercepts data traveling over the network and steals it.

To ensure system confidentiality, the use of encryption mechanisms is recommended.

Denial of Service

A Denial of Service (DoS) attack involves the consumption of system resources to the extent that legitimate users cannot access the service. This occurs when an attacker floods the system with excessive requests, rendering it inaccessible.

In such cases, alternative access methods must be established to ensure system availability.

Elevation of Privileges

An elevation of privileges occurs when someone performs an operation without proper authorization. This can happen if an attacker manages to steal login credentials and uses them to access a system with elevated privileges.

To prevent this, measures must be implemented to ensure proper system authorizations are maintained.

6 Steps to Ensure Medical Software Safety With the STRIDE Threat Model

Now that we have a detailed understanding of the STRIDE threat model, let’s explore how it can be used to identify potential cybersecurity threats during the design phase of medical software development.

The first two steps involve identifying the information assets and the attack surfaces within the system.

1

Identifying Information Assets

An information asset is a resource within an organization’s infrastructure that must be protected due to its value. These assets include digital data, physical documents, intellectual property, and the knowledge and skills of employees.

Their value exposes them to various threats and risks, such as unauthorized access, data breaches, malware attacks, system failures, and other cyber threats.

2

Identifying Attack Surfaces

An attack surface is all the potential entry points through which an attacker can exploit vulnerabilities to gain unauthorized access to a system and cause damage.

It encompasses the connections between system components where information is transmitted or operations are performed. An example of this could be the Bluetooth connection between a phone and another device.
When developing a software, it is advisable to minimize the number of potential attack surfaces to enhance security.
Attack surfaces are shown in orange, and assets are the types of information transmitted through these channels.

3

Applying the STRIDE Threat Model to Each of the Assets and Surfaces Identified

To effectively apply the STRIDE threat model to each identified asset and surface, we recommend creating a cybersecurity analysis matrix.

This matrix evaluates the potential cybersecurity risks across each communication channel for all data in transit throughout the system.
informational assetsAttack SurfaceSTRIDEScenarioSequence of EventsHazardous Situation
Patient temperatureThermometer → BLETampering[...][...][...]
Patient temperatureThermometer → BLESpoofing[...][...][...]
Patient temperatureThermometer → BLEElevation of Privileges[...][...][...]
Patient temperatureThermometer → BLEDenial of Service[...][...][...]

The “Scenario” column shows the type of attack that applies to a threat type. There may be several possible attack scenarios, each with different impacts, for the same threat category. In this case, each scenario should have its own line in the matrix.

The “Sequence of Events” column provides a high-level description of how the attack unfolds.

Finally, the “Hazardous Situation” column offers a tangible description of the impact the attack will have on the concerned asset or attack surface.

If a line is not applicable, simply indicate this and provide a justification. This approach demonstrates that thoughtful consideration has been given to the design and ensures that the matrix has been thoroughly reviewed.

4

Identifying the Plausible Consequences of the Various Scenarios Formulated

Now that the various scenarios have been formulated, it’s time to identify their potential consequences.

For each consequence, we need to define its impact, assess the damage caused, and determine both the probability and severity levels.

Impact

What will be the impact on functionality, system performance, user data, the patient, or system availability?

Harm

Physical injury or damage to a person’s health, or damage to property or the environment.

Probability

  • Improbable
    (1:100,000 < P < 1:10,000)
  • Unlikely
    (1:10,000 < P < 1:1000)
  • Occasional
    (1:1,000 < P < 1:100)
  • Frequent
    (P > 1:100)

Severity

  • Negligible (user inconvenience)
  • Minor (injury without requiring medical intervention)
  • Major (injury requiring medical intervention)
  • Severe (risk of death or permanent injury)

5

Assessing The Level of Risk of The Identified Consequences

Once the probability and severity of a potential scenario have been defined, it is possible to assess the associated risk. The level of risk can be determined using a matrix that evaluates both the severity and probability of an incident.

6

Defining Risk Mitigation Measures

Knowing all these elements allows us to define necessary mitigation measures, i.e., actions to prevent the occurrence of an incident.

Possible measures include:
  • Modifying the basic design if the risk is unacceptable, to reduce the likelihood of occurrence.
  • Adding preventive measures to eliminate or reduce the risk, such as data encryption and multi-factor authentication.
  • Providing precautionary information to users if other measures are not feasible (e.g., advising against entering personal information).
Each time a mitigation measure is implemented, the level of risk must be reassessed until it becomes acceptable.

Cybersecurity is a crucial element to consider in the development of medical software. The STRIDE threat model provides a systematic risk analysis methodology, helping us identify necessary measures to mitigate risks.

However, relying solely on this model is insufficient for risk mitigation. Additional actions during development are essential. Rigorous software testing is required to prevent incidents that could harm patients and potentially lead to product recalls, litigation, and damage to the manufacturer’s reputation.

Return to blog

Author & collaborators

Written by
Yanik & Antoine

Newsletter & Monthly Digest

Subscribe to get our insights delivered to your email inbox.

Other posts you may like

Explore our Blog

MedTech Conference 2024: See You in Toronto

Read now

SoundBite’s Console Innovative Design Gets a Platinum Award at the 2024 Grands Prix du Design

Read now

2024 Défis du parc: Team CLEIO Takes on the Challenge again! 

Read now

MedTech Conference 2024: See You in Toronto

Read now

SoundBite’s Console Innovative Design Gets a Platinum Award at the 2024 Grands Prix du Design

Read now
Achieving
Together
We’re commited to your product safety and quality assurance.
Learn more
Expertise
Insights
What We Do
Culture
Stay Connected
Newsletter & Monthly Digest

Subscribe to receive our news and insights straight in your inbox.

© 2024 CLEIO – All Rights Reserved.

Made with ❤️ by CLEIO.

Privacy Policy