Rubric for Applying CVSS to Medical DevicesSeptember 2019
Topics: Health, Medical Devices, Cybersecurity, Information Security, Clinical Medicine, Computer Security
The Common Vulnerability Scoring System (CVSS) is an open standard designed to convey vulnerability severity and help determine the urgency and priority of response. When vulnerabilities are discovered in medical devices, medical device manufacturers, typically working with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC), use CVSS to provide a consistent and standardized way to communicate the severity of a vulnerability between multiple parties, including the medical device manufacturer, hospitals, clinicians, patients, NCCIC, and vulnerability researchers.
Nonetheless, there are challenges in using CVSS to assess the severity of vulnerabilities in medical devices. CVSS and its associated rubric and examples were developed for enterprise information technology systems and do not adequately reflect the clinical environment and potential patient safety impacts.
To address these challenges, the MITRE Corporation, under contract to FDA, developed a rubric that provides guidance for how an analyst can utilize CVSS as part of a risk assessment for a medical device. This rubric was developed by MITRE in collaboration with a working group of subject matter experts across the medical device ecosystem, including FDA, medical device manufacturers, healthcare delivery organizations, security experts, and safety/risk assessment experts.
Note: This revised document, released in September 2019, replaces an earlier version from January 2019.
Please send comments or suggestions about the Medical Device CVSS Rubric to firstname.lastname@example.org
Explore more at MITRE Focal Point: Health.