Rubric for Applying CVSS to Medical DevicesOctober 2020
Topics: Health, Medical Devices, Cybersecurity, Information Security, Clinical Medicine, Computer Security
The Common Vulnerability Scoring System (CVSS) is an open standard designed to convey vulnerability severity and help determine the urgency and priority of response. When vulnerabilities are discovered in medical devices, medical device manufacturers, typically working with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC), use CVSS to provide a consistent and standardized way to communicate the severity of a vulnerability between multiple parties, including the medical device manufacturer, hospitals, clinicians, patients, NCCIC, and vulnerability researchers.
Nonetheless, there are challenges in using CVSS to assess the severity of vulnerabilities in medical devices. CVSS and its associated rubric and examples were developed for enterprise information technology systems and do not adequately reflect the clinical environment and potential patient safety impacts.
To address these challenges, the MITRE Corporation, under contract to FDA, developed a rubric that provides guidance for how an analyst can utilize CVSS as part of a risk assessment for a medical device. This rubric was developed by MITRE in collaboration with a working group of subject matter experts across the medical device ecosystem, including FDA, medical device manufacturers, healthcare delivery organizations, security experts, and safety/risk assessment experts.
MedSec, a healthcare cybersecurity consulting company, developed an open source Excel-based calculator to help users apply the rubric. The calculator can be downloaded from MITRE’s GitHub md-cvss-rubric-tools repository.
On October 20, 2020 FDA announced that the rubric was qualified as a Medical Device Development Tool (MDDT). An MDDT is a tool that FDA has evaluated “and concurs with available supporting evidence that the tool produces scientifically-plausible measurements and works as intended within the specified context of use.” The Qualification Summary is available on the MDDT website.
Please send comments or suggestions about the Medical Device CVSS Rubric to firstname.lastname@example.org.
Explore more at MITRE Focal Point: Health.