From Spreadsheets to System-Level Clarity: How Medical Device Manufacturers Are Transforming Cybersecurity Threat Modeling

From Spreadsheets to System-Level Clarity: How Medical Device Manufacturers Are Transforming Cybersecurity Threat Modeling

Iskender Mambetkadyrov
April 20, 2026

Table of Contents

Cybersecurity in medical devices has never been more consequential. The FDA's updated cybersecurity guidance is in effect, the EU's Cyber Resilience Act (CRA) has introduced sweeping requirements for products with digital elements, and the EU AI Act adds cybersecurity and risk management obligations for AI-enabled devices. Regulators now expect demonstrable, traceable evidence that security was designed into products from the start, that threats were systematically assessed, and that supporting documentation can be produced quickly and completely.

Yet for most medical device companies, cybersecurity threat modeling remains trapped in fragmented spreadsheets, disconnected tools, and manual reconciliation workflows that take months to produce a single document. The tools differ, but the challenge is universal.

The real problem: fragmented threat modeling

The challenge isn't a lack of expertise. Most medical device companies have mature threat modeling processes, experienced teams, and thorough templates. Some have even built custom VBA scripts to automate CVSS vector generation.

But the workflow is disconnected from the rest of the product development lifecycle, and that disconnect shows up consistently. Large enterprises operate dozens or even hundreds of separate QMS instances across divisions with no standardization. Design quality teams are overwhelmed and stretched thin. The documentation that demonstrates traceability from cybersecurity risks through safety risks to design controls takes two months or more to produce.

CVSS vectors live entirely within the spreadsheet. Threats do not have an automatic connection to design controls. Vulnerability management data lives in yet another system. When a new vulnerability surfaces, correlating it with existing threat assessments requires manual work across multiple tools and teams, and that correlation work creates both operational inefficiency and compliance risk. Teams have tried ALM tools, but traceability links end up half-manual, bi-directional traceability often doesn't exist, and work routinely happens outside the official system altogether.

The most significant gap is between cybersecurity risks and patient safety risks.

A cybersecurity threat can directly translate into a patient safety event, yet the two workflows are managed in completely separate systems with no shared traceability.

Gaps are only discovered through manual cross-referencing, if they're discovered at all.

Without system-enforced guardrails, process integrity also suffers: risk acceptability scores get overridden without justification, and harm severity ratings get improperly changed after controls are added, even though the underlying harm remains the same if controls are compromised.

This fragmented toolchain creates a systemic gap between cybersecurity intent and execution, and the timelines make it worse. Living documents that need updating every time the threat environment changes take a full quarter to iterate. Companies spend close to a year on manual test cases for a single product. These timelines are incompatible with the CRA's 24-hour vulnerability notification requirement or the AI Act's expectation that technical documentation stay current throughout an AI system's lifecycle.

Converging regulations are raising the bar

Regulation Key Requirements Timeline
EU Cyber Resilience Act (CRA) Security-by-design, technical documentation with cybersecurity risk assessment, vulnerability and incident reporting Sept 2026 for security-by-design
Vulnerability/incident reporting Dec 2027
EU AI Act AI-specific risk management integrated with ISO 14971, protections against data poisoning and adversarial attacks, comprehensive technical documentation Aug 2026 for provisions applicable
Full compliance Aug 2027
Proposed MDR/IVDR Revisions Cybersecurity integrated into general safety and performance requirements, incident reporting aligned with CRA framework Dec 2025 for proposed by the European Commission

Across all three, the pattern is the same: the connection between identified threats, security requirements, and system architecture must be documented and demonstrable. The AI Act adds that AI systems classified as high-risk (which includes many AI-based medical devices, depending on the device's risk class under MDR) must implement protections against data poisoning and adversarial attacks. The proposed MDR/IVDR revisions, while not yet enacted, signal that medical device manufacturers will face CRA-equivalent expectations whether through the CRA directly or through a converging MDR/IVDR.

For teams already struggling to produce a threat model document in under two months, this convergence demands a fundamentally different approach.

A different approach: round-trip threat modeling with end-to-end traceability

The goal isn't to replace the tools cybersecurity teams have refined over years. It's to connect their outputs to the rest of product development so that documentation becomes an artifact of work, not an additional workstream.

One top-five medical device manufacturer took exactly this approach. Their existing spreadsheet template, where analysts used custom VBA scripts to develop a questionnaire to determine an appropriate CVSS base vector for threats, remained their working surface. With lightweight modifications, hundreds of threat items could be imported into Ketryx in a single operation: structured, versioned, and immediately traceable. The workflow supported true round-tripping: updates in the spreadsheet could be re-imported and reconciled automatically, preserving all traceability links and the workflows that their product security engineers already knew.

Once connected, threats are linked directly to the safety risks they introduce, to design controls, and to vulnerability findings against the SBOM. The traceability chain previously missing between cybersecurity and safety risk management activities became explicit and auditable. The result: an 80% reduction in vulnerability assessment time and full end-to-end traceability.

What changes when threat modeling is connected

When threats are managed as traceable items rather than rows in a document, the workflow changes in concrete ways.

How Ketryx can help

Ketryx's CSRA capability provides structured threat assessment with end-to-end traceability, purpose-built for medical device teams navigating FDA guidance, the CRA, and the AI Act.

Looking forward

The gap between cybersecurity intent and execution is no longer just a workflow problem. It is becoming a market access problem. The ability to produce traceable, current cybersecurity documentation will increasingly determine how quickly a product reaches the market, and whether it stays there. The teams that build this foundation now will be better positioned to absorb new regulatory requirements without starting from scratch, respond to vulnerability disclosures in hours instead of weeks, and demonstrate security by design as a matter of course.

It is also where AI will have the biggest impact. We see a future where AI helps teams triage new vulnerabilities against their threat model, surface relevant existing mitigations, and accelerate CVSS rescoring for SME review. That future builds directly on the traceable foundation CSRA establishes today.