From Spreadsheets to System-Level Clarity: How Medical Device Manufacturers Are Transforming Cybersecurity Threat Modeling

Cybersecurity in medical devices has never been more consequential. The FDA's updated cybersecurity guidance is in effect, the EU's Cyber Resilience Act (CRA) has introduced sweeping requirements for products with digital elements, and the EU AI Act adds cybersecurity and risk management obligations for AI-enabled devices. Regulators now expect demonstrable, traceable evidence that security was designed into products from the start, that threats were systematically assessed, and that supporting documentation can be produced quickly and completely.

Yet for most medical device companies, cybersecurity threat modeling remains trapped in fragmented spreadsheets, disconnected tools, and manual reconciliation workflows that take months to produce a single document. The tools differ, but the challenge is universal.

The real problem: fragmented threat modeling

The challenge isn't a lack of expertise. Most medical device companies have mature threat modeling processes, experienced teams, and thorough templates. Some have even built custom VBA scripts to automate CVSS vector generation.

But the workflow is disconnected from the rest of the product development lifecycle, and that disconnect shows up consistently. Large enterprises operate dozens or even hundreds of separate QMS instances across divisions with no standardization. Design quality teams are overwhelmed and stretched thin. The documentation that demonstrates traceability from cybersecurity risks through safety risks to design controls takes two months or more to produce.

CVSS vectors live entirely within the spreadsheet. Threats do not have an automatic connection to design controls. Vulnerability management data lives in yet another system. When a new vulnerability surfaces, correlating it with existing threat assessments requires manual work across multiple tools and teams, and that correlation work creates both operational inefficiency and compliance risk. Teams have tried ALM tools, but traceability links end up half-manual, bi-directional traceability often doesn't exist, and work routinely happens outside the official system altogether.

The most significant gap is between cybersecurity risks and patient safety risks.

A cybersecurity threat can directly translate into a patient safety event, yet the two workflows are managed in completely separate systems with no shared traceability.

Gaps are only discovered through manual cross-referencing, if they're discovered at all. 

Without system-enforced guardrails, process integrity also suffers: risk acceptability scores get overridden without justification, and harm severity ratings get improperly changed after controls are added, even though the underlying harm remains the same if controls are compromised.

This fragmented toolchain creates a systemic gap between cybersecurity intent and execution, and the timelines make it worse. Living documents that need updating every time the threat environment changes take a full quarter to iterate. Companies spend close to a year on manual test cases for a single product. These timelines are incompatible with the CRA's 24-hour vulnerability notification requirement or the AI Act's expectation that technical documentation stay current throughout an AI system's lifecycle.

Converging regulations are raising the bar

Across all three, the pattern is the same: the connection between identified threats, security requirements, and system architecture must be documented and demonstrable. The AI Act adds that AI systems classified as high-risk (which includes many AI-based medical devices, depending on the device's risk class under MDR) must implement protections against data poisoning and adversarial attacks. The proposed MDR/IVDR revisions, while not yet enacted, signal that medical device manufacturers will face CRA-equivalent expectations whether through the CRA directly or through a converging MDR/IVDR.

For teams already struggling to produce a threat model document in under two months, this convergence demands a fundamentally different approach.

A different approach: round-trip threat modeling with end-to-end traceability

The goal isn't to replace the tools cybersecurity teams have refined over years. It's to connect their outputs to the rest of product development so that documentation becomes an artifact of work, not an additional workstream.

One top-five medical device manufacturer took exactly this approach. Their existing spreadsheet template, where analysts used custom VBA scripts to develop a questionnaire to determine an appropriate CVSS base vector for threats, remained their working surface. With lightweight modifications, hundreds of threat items could be imported into Ketryx in a single operation: structured, versioned, and immediately traceable. The workflow supported true round-tripping: updates in the spreadsheet could be re-imported and reconciled automatically, preserving all traceability links and the workflows that their product security engineers already knew

Once connected, threats are linked directly to the safety risks they introduce, to design controls, and to vulnerability findings against the SBOM. The traceability chain previously missing between cybersecurity and safety risk management activities became explicit and auditable. The result: an 80% reduction in vulnerability assessment time and full end to end traceability.

What changes when threat modeling is connected

When threats are managed as traceable items rather than rows in a document, the workflow changes in concrete ways.

Cybersecurity risk and patient safety risk are explicitly linked. Both cybersecurity engineers and clinical safety teams can navigate the relationship between a threat and the safety risk it introduces directly, without manual cross-referencing. This traceability is what regulators expect to see.

Cross-functional teams share a common context. Design control engineers see which threats are linked to their requirements. Safety professionals trace back to the specific cyber threat. Leadership gets a real-time view of assessment status.

Vulnerability triage draws on the full product context. When new vulnerabilities surface, reasoning across the threat model, design controls from connected source systems, source code, and vulnerability databases like the NVD and GHSA produces contextualized assessments that a subject matter expert can review in minutes rather than days.

Security by design becomes demonstrable. When threat modeling is connected to requirements, design controls, and vulnerability data, the documentation trail is built as part of the work itself. You can show regulators not just that threats were identified, but how they were mitigated through specific requirements in the system architecture and how those requirements were verified.

How Ketryx can help

Ketryx's CSRA capability provides structured threat assessment with end-to-end traceability, purpose-built for medical device teams navigating FDA guidance, the CRA, and the AI Act.

Structured threat model management, your way. Preserve your existing spreadsheet workflow with round-trip imports that sync automatically, upload your threat model from another tool to Ketryx through our seamless tabulated file importer, or build and maintain threat models natively inside Ketryx without disrupting existing workflows.

End-to-end traceability, including cybersecurity to safety risk. Connect threat items directly to safety risks, design controls, and vulnerability findings against the SBOM. Ketryx AI suggests relationships based on your system architecture and design controls, giving SMEs a foundation to review rather than building from scratch.

Audit-ready documentation as an artifact of work. Structured workflows, full audit trails, and documentation that generates from data you already maintain, for FDA submissions, CRA technical files, or AI Act compliance records.

Looking forward

The gap between cybersecurity intent and execution is no longer just a workflow problem. It is becoming a market access problem. The ability to produce traceable, current cybersecurity documentation will increasingly determine how quickly a product reaches the market, and whether it stays there. The teams that build this foundation now will be better positioned to absorb new regulatory requirements without starting from scratch, respond to vulnerability disclosures in hours instead of weeks, and demonstrate security by design as a matter of course.

It is also where AI will have the biggest impact. We see a future where AI helps teams triage new vulnerabilities against their threat model, surface relevant existing mitigations, and accelerate CVSS rescoring for SME review. That future builds directly on the traceable foundation CSRA establishes today. 

For a closer look at how Ketryx CSRA works, request a demo.