FDA Okays Tool for Determining Medical Device Vulnerability Scores

MITRE Corporation created a new rubric for determining Common Vulnerability Scoring System (CVSS) scores of medical device vulnerabilities and it has passed the FDA’s scrutiny.

The CVSS was created for setting scores for vulnerabilities in IT systems based on their severity, and although the system works well for a lot of IT systems, it is less appropriate for scoring medical device vulnerabilities.

When vulnerabilities are found in medical devices, the producers of the device utilize the CVSS as a reliable and standardized means of talking about the vulnerability’s seriousness to the Department of Homeland Security (DHS), National Cybersecurity and Communications Integration Center (NCCIC) and other bureaus. IT teams in hospitals and clinics use the CVSS scores for giving priority to patching and updating software. When a vulnerability gets a score of 9.0, it usually is given priority over a vulnerability having a CVSS score of 3.0, for example. Nevertheless, CVSS base scores tend not to sufficiently mirror the clinical setting and possible patient safety consequences.

To deal with this concern, the FDA hired the MITRE Corporation to create another rubric, particularly for medical devices to enable to effectively score vulnerabilities. In the past days, the FDA reported that the latest rubric is now approved as a Medical Device Development Tool (MDDT). As an MDDT, it should make scientifically possible measurements and should work as expected within the selected context of usage.

The new rubric to be used for the CVSS on medical devices, along with CVSS v3, generates a framework for assessing risk and communicating between all entities concerned in security vulnerability disclosure, particularly with regards to the intensity of vulnerabilities and to communicate seriousness to ensure that responses will be prioritized.

One of the difficulties with the CVSS is that the base score designated to a vulnerability is meant to provide a general expression of the risk connected with that vulnerability, yet the base score metric doesn’t consider the environment wherein the device or IT software is utilized. It is essential to modify the score in terms of the particular case wherein a device or IT program is employed, as this could significantly increase the threat posed by a vulnerability.

This is specifically crucial in healthcare, where there are cases when the base score is fairly low though the risk is really high, for instance when patient safety is at risk. There were a number of instances where vulnerabilities in medical devices were given a fairly low severity score employing CVSS v3, although vulnerability exploitation presents a direct and severe risk to patients.

The new rubric gives specific guidelines for designating CVSS scores to medical device vulnerabilities, clarifies the base metric group and temporarily sets metric group and the environmental metric group, with about half of the rubric focused on the latter and its significance for altering scores to precisely represent risks as a component of a risk evaluation for a medical device.