MITRE’s Medical Device Vulnerability Metric Awarded FDA Approval

The MITRE Corporation’s new methodology for grading medical device vulnerabilities using the Common Vulnerability Scoring System (CVSS) has been authorized by the U.S. Food and Drug Administration (FDA). The CVSS was developed to evaluate security vulnerabilities in IT systems in accordance with their severity. However, while the system performs well for many IT systems, it is less effective for assessing security vulnerabilities¬† in medical devices.

Device manufacturers employ the CVSS as a consistent and standardized method of informing the National Cybersecurity and Communications Integration Center (NCCIC) of the Department of Homeland Security (DHS) and other agencies of the severity of a vulnerability when it is detected in medical equipment. The IT departments of hospitals and clinics prioritize software upgrades and patching based on the scores. If a vulnerability has a CVSS score of 9.0, it takes precedence over a vulnerability with a score of 3.0. However, the clinical setting and potential effects on patient safety are not sufficiently reflected by CVSS base values. In order to resolve this problem, the FDA hired the MITRE Corporation to create a brand-new scoring system exclusively for medical devices. The new rubric was certified as a Medical Device Development Tool (MDDT) and awarded FDA approval this week, according to an FDA statement. In order to be considered as an MDDT, a tool must provide measurements that are consistent with science and function effectively within the designated context of application.

The new set of instructions for utilizing the CVSS to assess medical equipment provides a universal process for risk assessment and communication between all parties concerned with the disclosure of security vulnerabilities, particularly with respect to the degree of severity and to demonstrate the importance of urgency in response to the identification of such vulnerabilities. However, concerns have been raised about the CVSS base score metric. Critics have noted that the metric does not account for the context in which the device or IT system is operated. It is important to adjust the score in relation to the specific case in which a device or IT system is used, as this can greatly increase the risk posed by a vulnerability. The danger caused by a vulnerability can be significantly increased by adjusting the score in proportion to the specific circumstance in which a device or IT system is utilized.

In addition to offering detailed instructions for assigning CVSS scores to medical device vulnerabilities, the rubric also provides an outline of the base metric group and demonstrates the significance of the temporary metric group and the environmental group. The latter is the focus of about half of the rubric, which explains how to adjust scores so that device operators can accurately reflect risk as part of a risk assessment for a medical device.