How to Threat Model Medical Devices, on The Medical Device Cybersecurity Podcast
Adam was on the Medical Device Cybersecurity podcastI’m excited to share that I recently spoke with the Cyber Doctor on the Medical Device Cybersecurity podcast!
Whether you’re an engineer, security professional, or product leader, this discussion may help you refine your approach to building secure systems efficiently.
In the episode, we tackled three key qualities of threat modeling: how to make application design actionable, scalable, and practical. Each of these is something that is infused into our training, and I’m happy to have been able to bring those points to this conversation.
Here are some key takeaways:
1. The Four Question Framework
At its core, we can make threat modeling more accessible to all engineers by asking four simple questions:
- 1. What are we working on?
- 2. What can go wrong?
- 3. What are we going to do about it?
- 4. Did we do a good job?
We routinely ask these questions early in development to lead to better security outcomes when fixes are easier to implement.
2. Diagrams improve visibility and communication
Threat modeling isn’t just about checklists—it’s about understanding how systems work. Diagrams help bring clarity, align teams, and reveal gaps in security thinking. The best part? You don’t need a massive modeling project to get started. A simple whiteboard sketch can already bring immense value, and this is something that often surprises our students. It’s ok to start small and see the value.
3. Continuous feedback drives improvement
Threat modeling isn’t a one-and-done process. Asking for feedback—Was this useful? Did we have the right people involved?—is key to refining and improving how we approach security. Listening to concerns makes the process more effective and sustainable over time.
Thank you to Mathieu for his thought-provoking questions and engaging discussion. Listen to the full episode on Spotify or YouTube to hear the discussion in more detail. If you’re looking for practical guidance, this one’s for you!