STRIDE-HC Threat Model: ExampleMed Volumetric Infusion Pump v3.2
Worked example for paper §4.5 — large-volume infusion pump representative of Archetype 2 (embedded RTOS legacy).
1. Device profile
| Field |
Value |
| Device name and model |
ExampleMed Volumetric Infusion Pump v3.2 |
| Manufacturer |
ExampleMed Inc. |
| Device class (FDA) |
Class II |
| UMDNS code |
16495 |
| GMDN code |
35143 |
| MDS² reference |
ExampleMed-IP3.2-MDS2-2024 |
| Archetype |
Archetype 2 (embedded RTOS legacy) |
| Operating system |
VxWorks 6.9 (EOL — no further patches) |
| Networking |
100Mbit Ethernet, HL7 v2 over TCP/2575, no TLS |
| Authentication |
Hardcoded service-mode credential; no per-user login |
| Patching |
Manufacturer no longer issues patches; FDA clearance limits modification |
| Audit logging |
None on device; only at upstream nursing station |
| Physical interfaces |
RS-232 service port; USB-A (firmware update); Bluetooth (paired display) |
| Deployment |
240 units across ICU and oncology |
| Clinical use |
Continuous medication infusion |
2. STRIDE-HC threat scenarios
S — Spoofing (CAW = 1.2)
Network-attacker scenarios:
- ARP cache poisoning to redirect device traffic
- Forged HL7 messages from spoofed nursing station
- Rogue device impersonation on shared VLAN
Physical / insider-attacker scenarios:
- Substituted device with cloned identifier (during scheduled service window)
- Vendor-impersonation social engineering at device location
- Cloned RFID/NFC token used for proximity authentication of paired display
Detection methods (Framework V):
- Passive device fingerprinting (network sensor with longitudinal store)
- Badge-correlation analytics (vendor service activity vs. work order)
- Network UEBA peer-set anomaly
Compensating controls (Framework I):
- 802.1X port-based access control with MAC allowlisting
- Tamper-evident asset tags with serialised identifier
- Vendor-escort policy with mandatory clinical engineering accompaniment
CCD coverage assessment: Partial — physical fingerprinting and badge correlation cover most scenarios; vendor impersonation requires improved staff training.
T — Tampering (CAW = 1.1)
Network-attacker scenarios:
- Unauthorised firmware push from compromised vendor channel
- Configuration tampering via unauthenticated management interface
Physical / insider-attacker scenarios:
- Firmware injection via USB-A during service
- Configuration tamper via RS-232 service port using leaked service-mode PIN
- Physical replacement of vendor-supplied SD card during maintenance
Detection methods (Framework V):
- Network-adjacent file integrity inferred via configuration management traffic
- Configuration version comparison via management API
- Tamper-evident seal inspection (monthly cadence)
Compensating controls (Framework I):
- Logical USB disablement via vendor service mode
- Physical port blockers (epoxy) on unused ports
- Inline MFA shim (Pattern C) at RS-232 service port — gated by TOTP
- Tamper-evident sealing with serialised seals on service-port covers
CCD coverage assessment: Partial — Pattern C addresses primary physical vector; firmware push is mitigated by IPS but not eliminated.
R — Repudiation (CAW = 0.9)
Network-attacker scenarios:
- Unattributable configuration changes via shared service account
- Untraceable data access via cleartext HL7
Physical / insider-attacker scenarios:
- Service-mode access by unidentified technician
- Bedside infusion-rate changes by unidentified clinician
- PHI capture by mobile-phone photography
Detection methods (Framework V):
- Network PCAP with 90-day retention
- Syslog proxy capturing HL7 transactions
- Physical badge access logs correlated to device location and service activity
- UEBA behavioural baseline of clinical interaction patterns
Compensating controls (Framework I):
- Network-level logging pipeline (compensates for absent device logging)
- PAW with individual auth upstream (Pattern A) for any administrative function
- Session recording at the Pattern C MFA shim
- Badge-to-device correlation analytics
CCD coverage assessment: Partial — strong network and physical correlation, but bedside parameter changes outside service mode remain attributable only to “the assigned nurse” rather than to a specific user action.
Network-attacker scenarios:
- PHI interception on shared network segment (cleartext HL7 v2 carries patient identifier and dose data)
- Unprotected data export via management interface
Physical / insider-attacker scenarios:
- PHI display photographed in shared environment (multi-occupancy room)
- Bulk PHI export to USB at service port
- Eavesdropping on Bluetooth pairing with paired display
Detection methods (Framework V):
- Protocol-aware IDS flagging cleartext PHI in HL7 traffic
- Display privacy filter audit
- WIDS for proximity wireless interaction
- DLP at network gateway
Compensating controls (Framework I):
- IPSec tunnel encapsulating cleartext HL7 to nursing station
- VLAN isolation on dedicated infusion-pump VLAN
- Privacy filters on displays in multi-occupancy rooms
- PHI minimisation: pump display configured to show only patient initials and last 4 digits of MRN
- Service-port USB disablement via vendor service mode
CCD coverage assessment: Full — comprehensive controls validated annually via penetration test; protocol-aware IDS deployed.
D — Denial of Service (CAW = 1.5)
Network-attacker scenarios:
- Network flooding disrupts HL7 communication, interrupting dose updates
- Targeted protocol-parser crash (URGENT/11-class CVE in VxWorks IPnet stack)
- Resource exhaustion via malformed HL7 messages
Physical / insider-attacker scenarios:
- Power or network cable disconnection at device location
- Physical destruction or theft (rare but documented in agency-staff incidents)
- Service-mode reset rendering pump unavailable mid-therapy
Detection methods (Framework V):
- Availability monitoring with alerting (sub-30-second alarm)
- Device location video surveillance
- Environmental monitoring (power consumption anomaly via building management system)
Compensating controls (Framework I):
- Dedicated VLAN with QoS priority (highest tier in five-zone segmentation)
- Rate limiting upstream of pump VLAN
- Redundant network paths
- Uptime SLA contracted with ExampleMed Inc.
- Backup pump staging in each unit
- Physical access controls on patient room
CCD coverage assessment: Partial — strong network-side controls; physical destruction is mitigated by surveillance and backup staging but not prevented.
E — Elevation of Privilege (CAW = 1.1)
Network-attacker scenarios:
- Default credential exploitation via management interface (mitigated by Pattern A)
- Lateral movement to nursing station via compromised pump
Physical / insider-attacker scenarios:
- Service-mode credential abuse via RS-232 (mitigated by Pattern C)
- Vendor-service-tool privilege abuse (vendor laptop has documented elevated privileges)
- Unauthorised access to administrative menus via undocumented key sequence (disclosed in leaked service manual)
Detection methods (Framework V):
- IDS/IPS with VxWorks IPnet stack signatures
- Privilege escalation monitoring at upstream PAM
- Behavioural analytics for HL7 anomaly indicating exploited pump
- Service-port session recording
Compensating controls (Framework I):
- Virtual patching via IPS for known VxWorks CVEs
- Network microsegmentation (Zone 0 dedicated VLAN)
- Inline MFA shim (Pattern C) at service port — addresses physical EoP
- PAM upstream (Pattern A) — addresses network EoP
- Vendor service activity supervised by clinical engineering
CCD coverage assessment: Partial — Patterns A and C jointly cover primary EoP vectors; vendor tooling remains a residual risk requiring contractual SLA improvements.
3. MDRS-relevant outputs
Coverage summary for CCD calculation:
| Category |
Coverage |
| S |
Partial |
| T |
Partial |
| R |
Partial |
| I |
Full |
| D |
Partial |
| E |
Partial |
Five categories partial, one full → CCD score in the 7–8 band → CCD = 7.
This feeds the MDRS calculation: with CIS=9.0, ES=7.5, DCI=8.0, NEF=8.0, CCD=7.0, the composite is 8.175 → CRITICAL tier (paper Table 7).
4. Document control
| Field |
Value |
| Author |
Clinical Engineering / InfoSec joint authoring |
| Reviewer |
CISO and Director of Clinical Engineering |
| Approval date |
2026-04-10 |
| Next review |
2027-04-10 |
| Linked CJRs |
CJR-EMPump-001-MFA, CJR-EMPump-002-Encryption, CJR-EMPump-003-ServicePort |
| Current MDRS |
8.175 → CRITICAL |