Cybersecurity is no longer seen as an option in medical technology; it's a requirement. With IEC 81001-5-1 and the MDR requirements, manufacturers of medical devices and health software must proactively identify, assess, and manage security risks. A proven and recommended approach by IEC 81001-5-1 for this is threat modeling with STRIDE.
What is STRIDE?
STRIDE This is a Microsoft threat model for cybersecurity, and in our specific case, a threat model for medical software and devices. It categorizes six typical attack types:
Stride category | Threat type | Simply explained | Example |
|---|---|---|---|
S | Spoofing | Identity theft | An attacker is posing as a doctor. |
T | Tampering | Manipulation of data or code | Dosage data for an infusion device is being changed. |
R | Reputation | Deniability of actions | A user deletes data, and nobody can prove it. |
I | Information Disclosure | Confidential data falls into the hands of unauthorized persons | An attacker is intercepting network traffic. |
D | Denial of Service | The system is overloaded or blocked. | Vital data can no longer be transmitted. |
E | Elevation of Privilege | Privilege expansion through vulnerabilities | An exploit allows a normal user to become an administrator. |
Further information is available directly from Microsoft: Threat Modeling with STRIDE
How does risk analysis with STRIDE work in medical technology?
To understand where STRIDE comes into play in the risk analysis process, this simple model is helpful:
A Threat In this model, a potential attack method, such as... Spoofing, Tampering or Denial of Service, as described in the STRIDE model. A Vulnerability This is the vulnerability in the system that can be exploited, e.g., an unsecured interface. Asset The target of the attack is the vulnerability, such as confidential patient data or device availability. The vulnerability and the asset together constitute an impact, a concrete consequence, such as data loss or malfunction. Together with the threat, this ultimately results in the risk (the risk to be assessed).
The right approach begins with the system context and architecture. From this, you derive a data flow diagram (DFD):
- What components are there (app, server, sensor)?
- What data flows exist between these parts?
- What interfaces and trust boundaries exist?
Then systematically apply STRIDE to each element: each data flow, each component, each storage location.
Example: Do you have a user interface? Then check:
- Spoofing: Is the login protected?
- Tampering: Are the inputs validated?
- Reputation: Is there an audit log?
- etc.
This way you methodically cover all relevant threat scenarios.
STRIDE analysis results: How threats are assessed and mitigated
The identified threats are assessed, similar to ISO 14971:
- How likely is it to be exploited?
- What impact does it have (confidentiality, availability, integrity)?
A proven method for assessment is the CVSS score (Common Vulnerability Scoring System). It offers a standardized scoring system (0–10) to objectively evaluate the criticality of a vulnerability. Factors such as attack vector, complexity, required privileges, and potential damage are factored into the assessment.
Derive security requirements from the results:
- „"Connections must be TLS-encrypted."“
- „"User actions are logged in an audit log."“
- „"Failed attempts will result in account suspension."“
These requirements are incorporated into your security concept and your software requirements.
How does STRIDE fit into IEC 81001-5-1?
The standard explicitly requires the identification and assessment of cybersecurity threats. STRIDE provides a proven, transparent framework for this and is also compatible with AAMI TIR57.
STRIDE helps you to practically implement the required cybersecurity risk assessment of IEC 81001-5-1.
Summary: Using STRIDE for secure medical software development
STRIDE is far more than a theoretical threat model – it is a field-proven tool that helps to identify cybersecurity risks early, assess them effectively, and mitigate them successfully. A structured approach to threat analysis is indispensable, especially in the development of medical software and networked medical devices – particularly in the context of IEC 81001-5-1 and the MDR.
By applying STRIDE, typical attack scenarios such as spoofing, tampering, or denial of service can be systematically detected and documented. In combination with established methods like CVSS and the derivation of specific security requirements, STRIDE becomes a central component of a standards-compliant cybersecurity concept.
Any medical software manufacturer that wants to meet information security requirements cannot ignore STRIDE. It offers a transparent, scalable, and practical method for integrating cybersecurity into the entire development process – from architecture and design to implementation.