Why Harbor Labs Supports The CVSS 3.0 Standard For Medical Device Security

Jun 9, 2021

The common vulnerability scoring system is a valuable tool, but how strictly should medical organizations rely on it? When assessing medical and healthcare technology, does it bring enough information, or does it fall short?

Dr. Avi Rubin

Founder/Chief Scientist
At Harbor Labs, we are both advocates and purveyors of the Common Vulnerability Scoring System (CVSS). We include CVSS 3.0 scoring in all our medical analytic work products and apply it to every vulnerability identified by our automated security analysis and reporting systems, FirwmareIQ™ and Postmarket Surveillance™. Having investigated the methodologies and logic used by the CVSS consortium to derive its scoring, we found them to be sound and well-researched. In our experience, these scores are invaluable to our medical clients, giving them a metric for identifying and accurately prioritizing those security issues most likely to pose a cybersafety risk to their patients. They further help in informing the remediation measures that require the most urgent attention.
 
But even with our support for CVSS, Harbor Labs still asserts that these scores should be regarded as informational, not as an absolute data value. They are intended to inform and alert to the potential severity of a vulnerability, but provide no context specific to the system or use case. The scores within the CVSS scales are not meant to be interpreted as ratios of one another, or as relative values. A vulnerability with a CVSS of 8.4, for example, is not necessarily twice as severe as a CVSS of 4.2. CVSS information should be analyzed within the context of the threat model and concept of operations for the target system. A CVSS of 2.4 might require immediate attention if it has the ability to chain to another attack which stops actuation or otherwise alters the intended therapy of the system. A CVSS of 9 that pertains to a function in a library may be irrelevant if the target system uses the library, but not that particular function. These numbers inform, but a cybersecurity professional, and perhaps a healthcare professional, is still required to interpret them and draw the appropriate conclusions.
 
Nonetheless, our advocacy for CVSS comes after considering many other proprietary methodologies for generating security scores. While these other scoring systems may all be well suited for a specific tool, market, or operational setting, they rarely have portability or intuitive meaning outside of that specific environment. The CVSS standard, in contrast, is supported across multiple industries and used by security professionals in a broad set of technology markets. CVSS is the most logical scoring methodology to use in the medical device community, as the functionality, operating systems, software components and operational characteristics of clinical devices are very similar to other IOT environments for which CVSS was intended. Moreover, the CVSS scoring methodology lends itself to market-specific modification, allowing for the overlay of patient risk parameters to a CVSS score that allows for medical device vulnerabilities that impact patient safety to be given a higher priority than they might otherwise receive. Scoring rubrics that combine traditional CVSS scoring and patient risk have already been developed and endorsed by regulators.
 
During a conversation on medical device security scoring, I once heard an FDA policy analyst say, “A patient can’t be rebooted”. And indeed, a CVSS score that might only require a simple fix on a typical IOT endpoint could pose a severe risk to patient health if occurring on a medical device. It is for this reason that Harbor Labs will continue to work with the medical device, security, and regulatory communities to advance the CVSS standard, and take it to a level where it provides accurate security scoring in a patient-safety context.
Thought Leadership
Mask Group 153
Medical Device Manufacturer Must Do’s for Cybersecurity

Medical Device Manufacturer Must Do’s for Cybersecurity

Harbor Labs Director of Medical Security Dr. Mike Rushanan provides a comprehensive outline of the cybersecurity must-do’s necessary to meet regulatory approval. Based on years of experience working with the FDA and other regulatory bodies, Dr. Rushanan’s blog provides insights into the common pitfalls that can disqualify or delay regulatory approvals.

About
Learn more about our experts and how we’re bringing our passion and process to support brighter outcomes.
Careers
We’re always looking to add new dimensions to our team. Check here for the latest openings and opportunities.
Contact
1.855.CYBR.SCI info@harborlabs.com
TOOLS
Discover issues hiding in your device firmware.
Find out how your vulnerability scores add up.
Medical Device
Security
Your device delivers healthier outcomes. With HarborLabs, it will do it securely.
Healthcare IT
Consulting
Healthcare IT system security and regulations are a big lift. An experienced partner by your side can help make it lighter.
Technical Litigation
Consulting
There are practical cyber experts and there are experienced Alternative Legal Service Providers. HarborLabs is the best of both worlds.