Whitepaper: Dr. Rushanan explains Best Practices for Ensuring Secure… Read Now

Thought Leadership

Why Harbor Labs Supports The CVSS 3.0 Standard For Medical Device Security

The common vulnerability scoring system is a valuable tool, but how strictly should medical organizations rely on it? When assessing medical and healthcare technology, does it bring enough information, or does it fall short?

At Harbor Labs, we are both advocates and purveyors of the Common Vulnerability Scoring System (CVSS).

We include CVSS 3.0 scoring in all our medical analytic work products and apply it to every vulnerability identified by our automated security analysis and reporting systems, FirwmareIQ™ and Postmarket Surveillance™. Having investigated the methodologies and logic used by the CVSS consortium to derive its scoring, we found them to be sound and well-researched. In our experience, these scores are invaluable to our medical clients, giving them a metric for identifying and accurately prioritizing those security issues most likely to pose a cybersafety risk to their patients. They further help in informing the remediation measures that require the most urgent attention.
 
But even with our support for CVSS, Harbor Labs still asserts that these scores should be regarded as informational, not as an absolute data value. They are intended to inform and alert to the potential severity of a vulnerability, but provide no context specific to the system or use case. The scores within the CVSS scales are not meant to be interpreted as ratios of one another, or as relative values. A vulnerability with a CVSS of 8.4, for example, is not necessarily twice as severe as a CVSS of 4.2. CVSS information should be analyzed within the context of the threat model and concept of operations for the target system. A CVSS of 2.4 might require immediate attention if it has the ability to chain to another attack which stops actuation or otherwise alters the intended therapy of the system. A CVSS of 9 that pertains to a function in a library may be irrelevant if the target system uses the library, but not that particular function. These numbers inform, but a cybersecurity professional, and perhaps a healthcare professional, is still required to interpret them and draw the appropriate conclusions.
 
Nonetheless, our advocacy for CVSS comes after considering many other proprietary methodologies for generating security scores. While these other scoring systems may all be well suited for a specific tool, market, or operational setting, they rarely have portability or intuitive meaning outside of that specific environment. The CVSS standard, in contrast, is supported across multiple industries and used by security professionals in a broad set of technology markets. CVSS is the most logical scoring methodology to use in the medical device community, as the functionality, operating systems, software components and operational characteristics of clinical devices are very similar to other IOT environments for which CVSS was intended. Moreover, the CVSS scoring methodology lends itself to market-specific modification, allowing for the overlay of patient risk parameters to a CVSS score that allows for medical device vulnerabilities that impact patient safety to be given a higher priority than they might otherwise receive. Scoring rubrics that combine traditional CVSS scoring and patient risk have already been developed and endorsed by regulators.
 
During a conversation on medical device security scoring, I once heard an FDA policy analyst say, “A patient can’t be rebooted”. And indeed, a CVSS score that might only require a simple fix on a typical IOT endpoint could pose a severe risk to patient health if occurring on a medical device. It is for this reason that Harbor Labs will continue to work with the medical device, security, and regulatory communities to advance the CVSS standard, and take it to a level where it provides accurate security scoring in a patient-safety context.

About the Author

  • Dr. Avi Rubin, Founder, Advisory Board Chair, professional headshot.
    Founder/Chairman, Advisory Board

    Dr. Avi Rubin is the Founder and Advisory Board Chair of Harbor Labs. Dr. Rubin’s technical leadership is reflected in every Harbor Labs initiative, whether advising on client engagements or providing technical oversight to the engineering staff. Dr. Rubin is a Professor Emeritus of Computer Science at Johns Hopkins University, where during his tenure he served as the Technical Director of the JHU Information Security Institute. While at JHU, he also founded and served as director of the JHU Health and Medical Security Lab (HMS), where his pioneering work advanced medical device security and future healthcare networks. Many of Harbor Labs’ senior staff studied under Dr. Rubin at JHU, receiving their PhDs through the JHU HMS. Dr. Rubin has testified on national healthcare cybersecurity policy before the U.S. House and Senate on multiple occasions, and has authored several books on computer security. He is a frequent keynote speaker at industry and academic conferences, and delivered widely viewed TED talks in 2011 and 2015. His Ph.D. from the University of Michigan is in the area of Applied Cryptography and Computer Security.

THOUGHT LEADERSHIP

More From Harbor Labs Experts

Your Project’s Success Starts with a Conversation