Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

FDA Approves Use of New Tool for Medical Device Vulnerability Scoring

The U.S. Food and Drug Administration (FDA) this week announced that it has approved the use of a new rubric specifically designed by the MITRE Corporation for assigning CVSS scores to vulnerabilities found in medical devices.

The U.S. Food and Drug Administration (FDA) this week announced that it has approved the use of a new rubric specifically designed by the MITRE Corporation for assigning CVSS scores to vulnerabilities found in medical devices.

The Common Vulnerability Scoring System (CVSS) was originally designed to convey the severity of vulnerabilities found in IT systems, and it may not be as relevant in some areas, such as industrial control systems (ICS) or medical devices.

That is why the FDA contracted MITRE to create a special rubric for assigning CVSS scores to medical device vulnerabilities. MITRE developed the new rubric last year and the FDA announced this week that it has qualified as a Medical Device Development Tool (MDDT).

The MDDT program enables the organization to qualify tools that can be used in the development and evaluation of medical devices. In order for a tool to qualify, it must be evaluated by the FDA, which must agree that it “produces scientifically-plausible measurements and works as intended within the specified context of use.”

The FDA believes that using MITRE’s rubric for applying CVSS to medical devices, together with CVSS v3.0, “allows a common framework for risk evaluation and communication between all parties involved in a security vulnerability disclosure, particularly when discussing its severity and urgency.”

The FDA’s approval of the tool means “that vendors can communicate measurements from the rubric about their devices with the FDA for pre-market security and risk assessments,” Elad Luz, head of research at New York-based healthcare cybersecurity firm CyberMDX, told SecurityWeek.

Advertisement. Scroll to continue reading.

CyberMDX has identified more than ten vulnerabilities in medical devices over the past year and it has seen first hand how misleading CVSS can be if it’s not adapted. For instance, a vulnerability it discovered last year in some of GE Healthcare’s hospital anesthesia devices was assigned a CVSS score of only 5.3 but, as the vendor itself admitted, exploitation of the flaw posed a direct risk to patients, which made it highly serious.

“[The vulnerability] was not scored as high severity because you could not execute remote code, or remotely access information, just remotely alter limited specific functionality,” Luz explained. “The problem is — when you look at the medical aspect of this — those remote functions altered might just be the most severe thing to compromise on this device, so this must be expressed for anyone doing a risk assessment for it.”

Luz says the new rubric addresses these and other issues. The expert says the new guidelines are clear and easy to use, with real-world examples taken from medical devices used worldwide.

“When doing disclosures there are many disagreements regarding the interpretation of CVSS because it was not always clear how one should project those measurements that were meant for computers/mobiles software to medical devices,” he explained. “The rubric goes through all CVSS measurements and clears them out in the form of a Q&A flowchart. This makes things much more clear and will hopefully spare much of the arguments.”

Luz also pointed out that the new rubric gives the environmental metric group “the place it deserves.”

“When people get exposed to CVSS scores they mostly consume the ‘base metric group’. This is unfortunate because the base score only gives a general impression of the risk,” he said. “The ‘environmental metric group’ is another group on CVSS that adjusts the score to your specific case. The environment where the device is deployed and used greatly affects the actual risk and this must be taken into account. Almost half of the rubric talks about this environmental group and finally it gets the right attention it deserves.”

Related: Vulnerabilities Expose BD Infusion Therapy Devices to Attacks

Related: FDA Warns of Flaws in Medtronic Programmers

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.