USA – FDA-tasked Mitre Forges Ahead with Cyber Vulnerability Scoring System Tailored to Devices

Under a US Food and Drug Administration (FDA) contract, a new rubric developed by the Mitre Corporation is the first-of-its-kind to be specifically tailored to medical devices, and is set to take the form of a medical device development tool (MDDT) to ensure consistency in scoring cybersecurity risks.

The common vulnerability scoring system (CVSS) open standard for assessing software vulnerability severity has seen widespread use on an international scale since its 2005 initial release, but it had not been calibrated for health care-specific risk metrics until now. The draft version of Mitre’s document that set forth the new first-of-its-kind rubric for applying CVSS to medical devices was released for comment earlier this month and discussed by participants at a two-day FDA public workshop this week.

The medical devices rubric is comprised of a series of questions at decision points for each CVSS vector element, Mitre information technology and cybersecurity integrator Penny Chase explained during the workshop on FDA’s October 2018 draft guidance on cybersecurity management. It includes considerations that are relevant to device manufacturers and health care delivery organizations (HDO), such as patient safety and device-specific examples.

“When the answer to a question suggests that the vulnerability might have an adverse effect on patient safety, there is an explicit notice that the analyst might need to perform a safety-oriented hazards analysis to determine whether the issue must be reported” to FDA’s Center for Devices and Radiological Health (CDRH) as covered in CDRH’s postmarket cybersecurity final guidance, the rubric states. Such items are marked as PIPS, which stands for “Potential Impact to Patient Safety.”..