FDA Approves Tool for Scoring Medical Device Vulnerabilities
The FDA has approved a new rubric designed by the MITRE Corporation for assigning Common Vulnerability Scoring System (CVSS) scores to medical device vulnerabilities.
The CVSS was designed for assigning scores to vulnerabilities in IT systems according to their severity, and while the system works well for many IT systems, it is less well suited to scoring vulnerabilities in medical devices.
When vulnerabilities are discovered in medical devices, device manufacturers use the CVSS as a consistent and standardized way of communicating the severity of a vulnerability to the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and other agencies. The scores are used by IT teams in hospitals and clinics for prioritizing patching and software updates. If a vulnerability has a score of 9.0, it naturally takes priority over a vulnerability with a CVSS score of 3.0, for instance. However, CVSS base scores do not adequately reflect the clinical environment and potential patient safety impacts.
To address this issue, the FDA contracted the MITRE Corporation to develop a new rubric specifically for medical devices to allow vulnerabilities to be accurately scored. This week, the FDA announced that the new rubric has been qualified as a Medical Device Development Tool (MDDT) and has now been approved for use. To qualify as an MDDT, a tool must produce scientifically plausible measurements and must work as intended within the specified context of use.
The new rubric for applying the CVSS to medical devices, in combination with CVSS v3, creates a common framework for risk evaluation and communication between all parties involved in security vulnerability disclosure, especially in relation to the severity of vulnerabilities and to convey urgency to allow responses to be prioritized.
Part of the problem with the CVSS is the base score assigned to a vulnerability is intended to give a general impression of the risk associated with that vulnerability but the base score metric does not take into consideration the environment in which the device or IT system is used. It is important to adjust the score in relation to the specific case in which a device or IT system is used, as this can greatly increase the risk posed by a vulnerability.
This is especially important in healthcare, where the base score may be relatively low even though the risk is actually high, such as when patient safety is affected. There have been several cases where vulnerabilities in medical devices have been assigned a relatively low severity score using CVSS v3, even though exploitation of the flaws pose a direct and serious risk to patients.
The new rubric provides detailed instructions for assigning CVSS scores to medical device vulnerabilities, explains the base metric group, but also the importance of the temporarily metric group and the environmental metric group, with around half of the rubric dedicated to the latter and its importance for adjusting scores to accurately reflect risk as part of a risk assessment for a medical device.