This guide provides actionable tips for medical device manufacturers to perform threat modeling that meets FDA expectations and ensures the cybersecurity of their devices across the entire product lifecycle.
Forging a clinician identity to a connected pump.
Altering pacing parameters on an implantable device.
Removing audit traces of an unauthorized firmware push.
PHI leak from an unsecured DICOM share.
Ransomware locks the imaging fleet mid-care.
Service-mode menu reached without authentication.
A comprehensive threat model must clearly describe the medical device system and identify potential threats throughout its entire lifecycle, from concept to postmarket.
Ensure your threat model covers all critical aspects like assets, trust boundaries, update mechanisms, and clinical workflows to avoid gaps that could compromise patient safety or lead to reviewer concerns.
Beyond engineering diagrams, your documentation should satisfy FDA expectations by detailing security architecture, assumptions, residual risks, and clear traceability of controls to patient safety.
Link identified threats directly to potential impacts on patient safety, including compromise of device availability, therapy delivery, diagnostic integrity, or multi-patient safety.
Develop submission-focused documentation tailored to the latest FDA cybersecurity guidance and reviewer expectations to avoid rewrites and streamline the submission process.
Connect threats to exploitability, true residual risk, safety impact, and foreseeable misuse, not just traditional confidentiality concerns.
Include views for the global system (device, cloud, networks), multi-patient harm scenarios, patchability (update paths, authenticity), and specific security use cases (programming, alarming, therapy delivery).
Utilize SBOM-informed threats, assess third-party software risks, and identify end-of-support assumptions and supplier-control gaps within your threat model.
Map threats to controls, cybersecurity risk assessments, testing evidence, residual risk, and relevant safety files for a complete and traceable risk story.
Authoritative guidance and standards underpinning this topic. Always confirm the latest revision with the publisher.
Quick answers to the questions teams most often ask about this topic.
Threat modeling is a structured analysis of how an attacker could compromise a device, its data, or its safety functions. For medical devices, it links security threats to patient safety outcomes and produces requirements that drive design, testing, and FDA documentation.
Yes. The FDA's 2026 cybersecurity guidance requires a threat model as part of the cybersecurity premarket submission. It must cover the full system, including device, supporting infrastructure, and update mechanisms.
STRIDE is the most common starting point and pairs well with data-flow diagrams. Many MedTech teams combine STRIDE for technical threats with a safety-focused method (such as STPA-Sec) to connect threats to harm. The FDA does not mandate a specific methodology.
Jump to all guides for the lifecycle phase that fits where you are.