The FDA has accepted a new rubric that MITRE Corporation has developed for determining Common Vulnerability Scoring System (CVSS) scores for medical device vulnerabilities.
The CVSS was made for setting scores for vulnerabilities in IT systems depending on their severity, and though the system works nicely for numerous IT systems, it is less suited for scoring vulnerabilities in medical devices.
When vulnerabilities are identified in medical devices, the makers of the device employ the CVSS as a constant and standardized system of speaking about the vulnerability’s severity to the National Cybersecurity and Communications Integration Center (NCCIC), the Department of Homeland Security (DHS) and other institutions. IT teams in hospitals and clinics utilize the scores for putting emphasis on patching and software program updates. In case a vulnerability obtains a score of 9.0, it normally is given priority over a vulnerability that has a 3.0 CVSS score, for example. Nonetheless, CVSS base scores don’t properly represent the clinical conditions and probable patient safety effects.
To tackle this matter, the FDA engaged with the MITRE Corporation to produce a different rubric exclusively for medical devices to make it possible to correctly score vulnerabilities. Recently, the FDA stated that the new rubric is now qualified as a Medical Device Development Tool (MDDT). An MDDT has to provide scientifically viable measurements and need to work as designed within the chosen context of application.
The new rubric to be employed for the CVSS on medical devices, combined with CVSS v3, produces a system for evaluating risk and interacting between all parties engaged in security vulnerability disclosure, particularly regarding the seriousness of vulnerabilities and to express urgency so that responses are prioritized.
One of the issues with the CVSS is that the base score given to a vulnerability is designed to offer a general sense of the risk involved with that vulnerability, however, the base score metric fails to take into account the environment that the device or IT software is employed. It is crucial to adapt the score relative to the specified case where a device or IT program is utilized, as this may considerably increase the danger presented by a vulnerability.
This is specifically vital in the medical field, where there are instances when the base score is comparatively low although the risk is in fact high, for instance when patient safety is impacted. There are already various incidents where vulnerabilities in medical devices were designated a somewhat low severity score by applying CVSS v3, even though exploitation of the vulnerability poses a direct and critical threat to patients.
The new rubric offers precise recommendations for setting CVSS scores to healthcare device vulnerabilities, points out the base metric group and looks at the temporary metric group and the environmental metric group, with close to half of the rubric committed to the latter and its value for changing scores to perfectly indicate risk as a portion of a risk review for a medical device.