Rubric for Applying CVSS to Medical Devices

January 2019
Topics: Health, Medical Devices, Cybersecurity, Information Security, Clinical Medicine
Melissa P. Chase, The MITRE Corporation
Steven M. Christey Coley, The MITRE Corporation
Download PDF (1.18 MB)

The Common Vulnerability Scoring System (CVSS) is an open standard designed to convey vulnerability severity and help determine the urgency and priority of response. When vulnerabilities are discovered in medical devices, medical device manufacturers, typically working with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC), use CVSS to provide a consistent and standardized way to communicate the severity of a vulnerability between multiple parties, including the medical device manufacturer, hospitals, clinicians, patients, NCCIC, and vulnerability researchers.

Nonetheless, there are challenges in using CVSS to assess the severity of vulnerabilities in medical devices. CVSS and its associated rubric and examples were developed for enterprise information technology systems and do not adequately reflect the clinical environment and potential patient safety impacts.

To address these challenges, the MITRE Corporation, under contract to FDA, developed a rubric that provides guidance for how an analyst can utilize CVSS as part of a risk assessment for a medical device. This rubric was developed by MITRE in collaboration with a working group of subject matter experts across the medical device ecosystem, including FDA, medical device manufacturers, healthcare delivery organizations, security experts, and safety/risk assessment experts.

Please send comments or suggestions about the Medical Device CVSS Rubric to securemed@mitre.org

Explore more at MITRE Focal Point: Health.

Publications

Interested in MITRE's Work?

MITRE provides affordable, effective solutions that help the government meet its most complex challenges.
Explore Job Openings

Publication Search