When evaluating cybersecurity risks, it’s crucial to have a standardized system to measure and communicate the severity of vulnerabilities. One such system is the Common Vulnerability Scoring System (CVSS). Widely adopted across industries, CVSS serves as a critical tool for security professionals to assess potential impacts and prioritize vulnerabilities. However, when it comes to specialized sectors such as medical devices, using CVSS can pose significant challenges. In this blog post, we’ll explore the fundamentals of CVSS, how it works, and why it might not be the best fit for scoring vulnerabilities in medical devices.

What is the Common Vulnerability Scoring System (CVSS)?

The Common Vulnerability Scoring System (CVSS) is an open framework used to rate the severity of software vulnerabilities. Developed by the Forum of Incident Response and Security Teams (FIRST), CVSS provides a standardized approach to quantify the impact and severity of security vulnerabilities. The system uses a combination of base, temporal, and environmental scores to capture different aspects of a vulnerability:

1. Base Score: Represents the inherent characteristics of a vulnerability that are constant over time and across environments. This includes factors such as attack vector, attack complexity, privileges required, user interaction, and the impact on confidentiality, integrity, and availability.
2. Temporal Score: Measures the vulnerability’s severity over time, accounting for factors such as exploitability, remediation level, and report confidence.
3. Environmental Score: Adjusts the base and temporal scores based on the specific environment in which the vulnerability exists, such as the importance of the affected system or network.

Why CVSS is Widely Used

CVSS is popular for several reasons:

• Standardization: CVSS provides a consistent framework that allows for comparing vulnerabilities across different systems.
• Accessibility: The system is publicly available, making it widely accessible for use in various organizations and security tools.
• Transparency: The scoring process is transparent and reproducible, enabling stakeholders to understand how scores are derived.

To learn more about the fundamentals of CVSS and its scoring methodologies, check out the FIRST CVSS v3.1 Specification Document and the NIST National Vulnerability Database (NVD) CVSS Overview.

Pitfalls of Using CVSS for Scoring Vulnerabilities in Medical Devices

While CVSS is highly effective for general IT environments, it falls short when applied to medical devices. Medical devices operate under unique constraints, and the consequences of vulnerabilities can extend beyond data breaches to impact patient safety and healthcare outcomes. Here are some specific challenges and pitfalls of using CVSS in this context:

1 Lack of Context for Patient Safety

• CVSS focuses on traditional security impacts such as confidentiality, integrity, and availability. However, for medical devices, a vulnerability’s impact on patient safety and care delivery is often the primary concern. A CVSS score that highlights the impact on data confidentiality may not fully capture the risk to patient health.

2. Overemphasis on Technical Metrics

• The technical metrics in CVSS (e.g., attack vector, attack complexity) do not adequately account for clinical considerations. For example, a vulnerability that requires physical access may seem low-risk in traditional settings but could be critical in a healthcare environment where attackers might exploit access to disrupt life-saving treatments.

3. No Inclusion of Safety and Efficacy Measures

• Medical devices are governed by regulatory standards that prioritize safety and efficacy. CVSS scores do not incorporate these dimensions, leading to potential misalignment between cybersecurity risk assessments and clinical safety evaluations.

4. Inconsistent Environmental Scoring

• CVSS’s environmental scoring allows for some adjustment based on context, but the variability can lead to inconsistent evaluations. In healthcare environments, the criticality of a device can vary drastically based on its use (e.g., diagnostic vs. therapeutic devices), making it challenging to apply a standardized environmental score.

5. Impact of Availability on Healthcare Services

• In traditional IT systems, a low availability score may indicate that a system’s downtime is tolerable. However, in medical contexts, availability is critical, and any downtime of a medical device can result in delayed or missed treatments, which could have severe consequences for patient health.

Alternative Approaches for Medical Device Vulnerability Scoring

Given these limitations, it’s recommended to adopt more tailored frameworks for assessing vulnerabilities in medical devices. One such framework is the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook by the U.S. Food and Drug Administration (FDA) and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group. This guide emphasizes a more nuanced approach that considers the clinical environment and potential patient impacts.

Another useful resource is the IMDRF (International Medical Device Regulators Forum) Medical Device Cybersecurity Guide, which provides recommendations for incorporating cybersecurity into medical device risk management processes.

Conclusion

While the Common Vulnerability Scoring System (CVSS) is an effective tool for assessing vulnerabilities in conventional IT environments, its application to medical devices has several shortcomings. These challenges arise due to the unique safety, regulatory, and operational requirements of medical devices. As a result, organizations in the healthcare sector should consider complementing CVSS with additional risk assessment frameworks that address patient safety and healthcare delivery.

For more information on CVSS, visit these resources:

• FIRST CVSS v3.1 User Guide
• NIST CVSS Calculator
• Understanding CVSS base score calculator | SecOps® Solution (secopsolution.com)
• CVSS v4.0 Examples (first.org)

By understanding the limitations of CVSS in medical contexts, stakeholders can better evaluate risks and implement cybersecurity strategies that ensure patient safety and device integrity.

Some information on adapting the existing CVSS scoring system to meet the needs of medical devices can be found here:

• Rubric for Applying CVSS to Medical Devices | MITRE
• Online Calculator: Rubric for Applying CVSS to Medical Devices (deeparmor.com)