In the world of cybersecurity, prioritizing vulnerabilities for remediation can be a daunting task. With thousands of new vulnerabilities being disclosed every year, security teams need a way to determine which vulnerabilities are most likely to be exploited. One method gaining traction is the Exploit Prediction Scoring System (EPSS). While EPSS is a powerful tool for predicting which vulnerabilities are most likely to be exploited in the wild, it may not be perfectly suited for every industry—particularly in sensitive areas like medical devices. In this blog post, we’ll break down the fundamentals of EPSS, how it works, and why its use in scoring medical device vulnerabilities may present certain challenges.

What is the Exploit Prediction Scoring System (EPSS)?

The Exploit Prediction Scoring System (EPSS) is an open framework developed by the Forum of Incident Response and Security Teams (FIRST) to predict the likelihood of a vulnerability being exploited in the next 30 days. By using machine learning models, EPSS analyzes various factors—including vulnerability characteristics, historical exploitation data, and external data sources—to calculate a probability score ranging from 0 to 1. A higher score indicates a higher likelihood of exploitation, allowing security teams to prioritize vulnerabilities that pose the greatest threat to their systems.

Key Features of EPSS

1. Data-Driven Approach: EPSS uses large datasets of known vulnerabilities and real-world exploitation data to create a model that estimates the probability of future exploitation.
2. Probability Score: EPSS provides a score between 0 and 1, representing the likelihood of a vulnerability being exploited within the next 30 days.
3. Complementary to CVSS: EPSS is designed to work alongside the Common Vulnerability Scoring System (CVSS), which rates the overall severity of a vulnerability based on its characteristics. While CVSS helps measure potential impact, EPSS focuses on exploitation likelihood.

How Does EPSS Work?

EPSS relies on a variety of data points and statistical methods to predict exploitability:

• Vulnerability Attributes: The type, severity, and technical characteristics of a vulnerability (e.g., whether it requires authentication or user interaction).
• Historical Exploitation Data: Information on whether similar vulnerabilities have been exploited in the past.
• Presence of Exploits: Availability of proof-of-concept (PoC) code or exploit kits that could make exploiting the vulnerability easier.
• External Factors: News coverage, community discussions, and security bulletins that may indicate increased attention to a specific vulnerability.

EPSS is continuously refined with new data, making it a dynamic and evolving tool that can adapt to changing exploitation trends.

For more detailed information, check out the EPSS Project Homepage by FIRST and the EPSS FAQ page.

Why EPSS is Useful for Vulnerability Management

EPSS has become a valuable resource for organizations looking to improve their vulnerability management practices. By highlighting vulnerabilities that are more likely to be exploited, EPSS enables security teams to allocate their resources more effectively and reduce overall risk exposure. Here are a few reasons why EPSS is gaining popularity:

1. Enhanced Prioritization: EPSS helps organizations identify which vulnerabilities are most likely to be targeted, enabling them to focus on the highest-risk vulnerabilities first.
2. Reduction of False Positives: Traditional severity-based scoring methods like CVSS often flag many vulnerabilities as “high risk” without considering exploitability. EPSS narrows down this list, reducing the number of false positives and minimizing alert fatigue.
3. Dynamic Scoring: EPSS updates as new data becomes available, providing a more accurate and timely assessment of exploitation risk.

Pitfalls of Using EPSS to Score Vulnerabilities in Medical Devices

While EPSS offers numerous advantages, its application to medical devices presents certain challenges. Medical devices operate in highly regulated environments and involve critical considerations that go beyond traditional IT security concerns. Below are some of the specific pitfalls of using EPSS in this context:

1. Misalignment with Patient Safety and Clinical Impact

• EPSS is primarily designed to assess the likelihood of a vulnerability being exploited, not its potential impact on patient safety. In medical devices, the consequences of a vulnerability could include patient harm or disruption of critical healthcare services. A vulnerability that EPSS scores as low-risk might still have a high potential for adverse clinical outcomes. As a result, relying solely on EPSS could lead to underestimating risks in healthcare settings.

2. Insufficient Context for Medical Device Environments

• EPSS scores do not account for the unique environmental factors of medical devices, such as whether the device is life-sustaining (e.g., ventilators or infusion pumps) or non-critical (e.g., imaging devices). Medical devices often have limited update capabilities and may run on legacy systems, which can increase the difficulty of patching and mitigating vulnerabilities. EPSS does not consider these factors, potentially leading to inappropriate prioritization decisions.

3. Overemphasis on General Exploitation Likelihood

• EPSS focuses on general exploitation likelihood, which is based on historical trends and external data sources. However, the exploitation patterns of medical device vulnerabilities are not the same as those for general IT systems. Attackers may target medical devices for very different reasons, such as disrupting healthcare delivery or compromising patient data. This can lead to a disconnect between EPSS scores and the actual risk landscape of medical devices.

4. Limited Data on Medical Device Vulnerabilities

• EPSS relies on large datasets to train its models, but medical device vulnerabilities are not as widely reported or analyzed as traditional IT vulnerabilities. This limited data can result in less accurate EPSS scores for medical devices, making it difficult to rely on the scores for effective risk management.

Recommended Approach for Medical Device Vulnerability Management

Given these limitations, it’s advisable to use EPSS as one part of a broader risk assessment strategy for medical devices. Healthcare organizations should consider incorporating other frameworks, such as:

• Medical Device Cybersecurity Playbook: Developed by the FDA and the Health Sector Coordinating Council (HSCC), this playbook provides guidance on managing cybersecurity risks specifically for medical devices.
• International Medical Device Regulators Forum (IMDRF): The IMDRF offers guidelines for incorporating cybersecurity into medical device risk management processes, considering both safety and efficacy.

Conclusion

The Exploit Prediction Scoring System (EPSS) is a valuable tool for predicting the likelihood of vulnerabilities being exploited in traditional IT environments. However, when it comes to scoring vulnerabilities in medical devices, EPSS has some significant limitations. Its focus on exploitability, lack of clinical context, and limited data on medical device vulnerabilities can lead to misaligned risk assessments. Healthcare organizations should consider complementing EPSS with additional frameworks and guidelines to ensure a comprehensive approach to medical device cybersecurity.

For further investigation into EPSS, visit these resources:

• EPSS Project Homepage
• EPSS FAQ
• EPSS Scoring Model

By combining EPSS with other healthcare-specific risk management practices, organizations can better protect medical devices and ensure patient safety while addressing cybersecurity threats.