In previous posts we talked about the Common Vulnerability Scoring System (CVSS) and also about the Exploit Prediction Scoring System (EPSS). Now it’s time to see how the work together to help you with vulnerability management on the medical devices you support. But before we get into that here is a little refresher…

The Exploit Prediction Scoring System (EPSS) is a data-driven framework developed by the Forum of Incident Response and Security Teams (FIRST) to estimate the likelihood of a specific cybersecurity vulnerability being exploited in the wild. The EPSS model uses statistical and machine learning techniques to analyze large datasets that include information on known vulnerabilities, historical exploitation trends, and external factors like the availability of exploit tools.

EPSS provides a probability score ranging from 0 to 1, which reflects the likelihood that a given vulnerability will be exploited within the next 30 days. A higher EPSS score indicates a greater probability of exploitation. This scoring system is designed to complement the Common Vulnerability Scoring System (CVSS), which measures the potential impact and severity of a vulnerability based on its technical characteristics.

Key Features of EPSS

1. Data-Driven Insights: EPSS uses a variety of data sources, including exploit databases, vulnerability attributes, and community discussions, to calculate the probability of exploitation.

2. Dynamic Scoring: EPSS scores are updated regularly as new data becomes available, reflecting current exploitation trends.

3. Granular Probability: The scoring system provides a probability score that helps security professionals focus on vulnerabilities that are more likely to be targeted.

For more detailed information on how EPSS works, visit the EPSS Project Homepage.

How EPSS Can Be Useful for Medical Device Vulnerability Management

Medical devices are unique in that they often operate in highly sensitive environments where cybersecurity issues can directly impact patient safety. Because of their complex nature and regulatory constraints, medical devices require specialized approaches to vulnerability management. EPSS can play a valuable role in this context, especially when used in conjunction with the CVSS score of a vulnerability.

1. Prioritizing Vulnerability Remediation Based on Exploit Likelihood

Medical device manufacturers and healthcare organizations often struggle to prioritize which vulnerabilities to address first due to resource limitations and operational constraints. EPSS can help prioritize vulnerabilities based on the likelihood of exploitation, ensuring that the most critical issues are addressed first.

For example, a vulnerability with a high CVSS score (indicating it could cause severe damage) but a low EPSS score (indicating it’s unlikely to be exploited) might be deprioritized in favor of a vulnerability with a moderate CVSS score but a high EPSS score. This approach ensures that remediation efforts are focused on vulnerabilities that pose a more immediate risk to the device and the healthcare ecosystem.

2. Complementing CVSS for a More Comprehensive Risk Assessment

CVSS scores are valuable for understanding the technical severity of a vulnerability, considering factors like the potential impact on device functionality, the need for user interaction, and the level of access required. However, CVSS does not account for how likely the vulnerability is to be exploited in real-world scenarios. By combining EPSS with CVSS, medical device manufacturers and healthcare organizations can make more informed decisions.

For instance, a high CVSS score might indicate that a vulnerability could significantly affect device operations, but if EPSS shows a low likelihood of exploitation, it might be more appropriate to focus on vulnerabilities that have both high CVSS and EPSS scores. This helps prevent the over-allocation of resources to low-priority vulnerabilities while still maintaining a high level of security.

3. Aligning Vulnerability Management with Threat Landscape

The threat landscape for medical devices can be different from traditional IT systems. Attackers targeting medical devices might have different motivations, such as disrupting healthcare operations or compromising patient data. EPSS takes into account current threat trends, providing up-to-date insights on which vulnerabilities are more likely to be exploited based on real-world data.

By using EPSS, organizations can align their vulnerability management strategies more closely with the actual threat landscape, ensuring that they address vulnerabilities that are not only severe but also actively being targeted by attackers.

4. Facilitating Better Decision-Making for Regulatory Compliance

Medical device manufacturers are subject to strict regulatory requirements, including those set by the FDA and other international bodies. These regulations often require manufacturers to have robust cybersecurity processes in place, including risk-based vulnerability management. By using EPSS in conjunction with CVSS, manufacturers can create a more robust framework for vulnerability management that satisfies regulatory requirements while also being aligned with the latest threat data.

Potential Pitfalls of Using EPSS for Medical Devices

While EPSS offers numerous benefits, there are also potential pitfalls to consider when applying it to medical device security:

1. Lack of Clinical Context: EPSS is designed primarily for IT and software environments and does not consider the clinical impact of a vulnerability. A vulnerability that has a low probability of exploitation might still pose a high risk to patient safety if it affects critical device functionality.

2. Insufficient Data on Medical Device Exploits: EPSS relies on large datasets of known exploits, but these datasets may not include sufficient information on medical device-specific vulnerabilities. This could result in less accurate EPSS scores for vulnerabilities in medical devices compared to traditional IT systems.

3. Over-Reliance on EPSS for Prioritization: Medical device manufacturers should avoid relying solely on EPSS for vulnerability prioritization. It should be used as one part of a broader risk assessment strategy that also considers clinical impact, regulatory requirements, and operational constraints.

Recommended Approach: Combining EPSS and CVSS for Medical Device Security

To maximize the effectiveness of vulnerability management in medical devices, it’s recommended to use a hybrid approach that leverages both EPSS and CVSS:

– Use CVSS to Assess Impact: Evaluate vulnerabilities based on their potential impact on device functionality, patient safety, and regulatory compliance using the CVSS score.

– Use EPSS to Assess Likelihood: Use EPSS to determine the likelihood of exploitation based on historical data and current threat trends.

– Incorporate Clinical and Operational Factors: Consider additional factors specific to medical devices, such as whether the device is life-supporting or whether it operates in a network-isolated environment.

– Create a Holistic Risk Score: Develop a combined risk score or matrix that takes into account CVSS, EPSS, and additional medical device-specific factors to guide remediation efforts.

Conclusion

The Exploit Prediction Scoring System (EPSS) provides valuable insights into the likelihood of vulnerabilities being exploited, making it a useful tool for vulnerability management in medical devices. When used in conjunction with the Common Vulnerability Scoring System (CVSS), EPSS helps healthcare organizations and medical device manufacturers prioritize vulnerabilities more effectively. However, its use should be complemented with clinical and operational considerations to ensure a comprehensive approach to medical device security.

For further reading on EPSS and CVSS, explore the following resources:

– EPSS Project Homepage by FIRST

– CVSS Overview and Documentation by FIRST

– FDA Guidance on Medical Device Cybersecurity

By adopting a multi-faceted approach that combines EPSS, CVSS, and clinical risk management, organizations can effectively mitigate cybersecurity risks to medical devices and safeguard patient safety.

Our comprehensive vulnerability database incorporates both CVSS v3 and EPSS data to help you triage and prioritize your vulnerability management work. Interested in how it works and how it may be able to help you?