Rubric For Applying CVSS To Medical Devices

To understand the rubric for applying CVSS to medical devices, we must first look at the limitations of the original system.

The Common Vulnerability Scoring System (CVSS) is a public framework for rating the severity of security vulnerabilities in software. The CVSS provides a means to communicate the principal characteristics of a vulnerability and produce a universal standard score. Scores are calculated based on a formula that depends on several metrics that approximate ease and impact of an exploit. Scores range from 0.0 and 10.0, with 10.0 being the most severe.

The origin of the CVSS dates back to 2005. Prior to the introduction of the common vulnerability scoring system, software vendors used their own methods for evaluating and scoring software vulnerabilities. However, the trouble with having no official industry standard was that it created ambiguity, and confusion, for system admins. For example, if one issue was labelled ‘high’ and another had a rating of ‘5’, which would it tend to first?

To address this problem, the US National Infrastructure Assurance Council (NIAC) developed the CVSS to create consistent scores that could accurately reflect the impact of vulnerabilities to a specific IT environment. CVSS and its associated rubric and examples were originally developed for enterprise information technology systems.

The Challenge of Using CVSS for Medical Devices

As we mentioned above, the CVSS was originally designed to convey the severity of vulnerabilities found in IT systems. The scoring system is not as relevant when evaluating medical devices as it does not adequately reflect the clinical environment and potential patient safety impacts.

In other words, there is a difference between security risk assessment and safety risk assessment. Trying to use the same scoring system for both has its issues. Sometimes security risk assessment requires processes and procedures that make complete sense when viewed in isolation, but these same processes become counterintuitive when patient safety is brought into the equation. For example, protecting software with a password to prevent a security breach is a logical protocol. However, what happens in an emergency when a piece of software is needed to save a person’s life and there is no time to spare? The same security procedures could waste valuable time and prove fatal.

The CVSS also does not provoke the consideration of the medical device design and/or clinical network environment and thus does not determine the impact of a cybersecurity vulnerability on the essential performance of a medical device, nor tie this vulnerability assessment back to the clinical environment to help evaluate potential patient safety impacts.

This ‘security risk assessment vs safety risk assessment’ dilemma is exactly why the FDA contracted MITRE to create a special rubric for assigning CVSS scores to medical device vulnerabilities. The ‘Rubric for Applying CVSS to Medical Devices’ was developed by MITRE in October 2020. This was done in collaboration with a working group of subject matter experts across the medical device ecosystem, including FDA, medical device manufacturers, healthcare delivery organizations, security experts, and safety/risk assessment experts. (The full rubric can be found here.)

Summary of MITRE’s CVSS Rubric Calculators

The rubric is structured as a series of questions along the decision pathway. These decision points act like a flowchart, offering a logical flow of all device actions and functions. The target of all these questions and answers is to keep following the root cause.

The FDA-approved rubric, developed by MITRE, includes:

  • Customized, Healthcare Delivery Organization (HDO): specific guidance that is not included in the original specification
  • Device-specific examples
  • Discussion of difficulties in: (1) repeatability of the rubric and/or; (2) conformance to the spirit of the original CVSS v3.0 specification
  • Consideration of many perspectives that would be relevant to a medical device manufacturer or an HDO, including: (1) patient safety; and (2) patient/clinician privacy
  • Visual guides in the form of “decision trees” or “flow charts” to simplify the process

The FDA believes that using MITRE’s rubric for applying CVSS to medical devices, together with CVSS v3.0, allows for “a common framework for risk evaluation and communication between all parties involved in a security vulnerability disclosure, particularly when discussing its severity and urgency.”

Shortly after its publication, the FDA qualified the rubric as a Medical Device Development Tool (MDDT), which means FDA believes the rubric produces measures that can be used in “the evaluation and justification of patient-centric, situational impact and urgency characteristics in time-sensitive postmarket vulnerability disclosures of medical devices.”

The updated rubric has been integrated into Nova Leah’s SelectEvidence platform to better evaluate and communicate the severity of vulnerabilities for medical devices. SelectEvidence presents an interactive workflow that allows users to easily navigate through the CVSS Rubric for Medical Devices and the results in both the standard CVSS vector and the healthcare, patient centric, Rubric.

The ‘Rubric for Applying CVSS to Medical Devices’ is an important step towards improving software security whilst maintaining patient safety.

Read the Latest Medical Device Cybersecurity Industry News

On May 12, US President Joe Biden issued an Executive Order on strengthening the nation’s cybersecurity infrastructure. This order followed a string of high-profile cyber-attacks that have taken place in the last 18 months. This includes those carried out against Twitter, Zoom, Marriott International, Magellan, Toll Group, Garmin, and, most notably, SolarWinds and Colonial Pipeline. Read more about Biden’s Executive Order and the impact it will have on the medical device industry.