Newly updated Food and Drug Administration guidelines will help experts to more accurately score and communicate the criticality of security vulnerabilities identified in medical devices, says Elad Luz, head of security research at CyberMDX.
The FDA’s new resource, “Rubric for Applying the Cybersecurity Common Vulnerability Scoring System To Medical Devices,” was developed by the agency and The Mitre Corp. and unveiled in October.
When used with the cybersecurity standard CVSSv3.0, the FDA tool provides a common framework for risk evaluation and more accurate severity scoring of security vulnerabilities identified in medical devices by researchers such as Luz, as well as manufacturers, regulators and others, he says.
“CVSS is a widely adopted method for evaluating software vulnerabilities,” including those used in more general IT products, Luz notes.
“The problem is that when you use CVSS for medical devices … you will find unclear areas” that cause disagreements among researchers, manufacturers and regulators about the severity of security vulnerabilities identified in healthcare gear and the risk to patient safety, he says.
“For example, CVSS measures potential impact on confidentiality, integrity and availability of a device. But the problem is that [CVSS scores alone] do not speak about patient safety or calculate things like life threats,” he says.
In the interview (see audio link below photo), Luz also discusses:
- Examples of how the updated scoring system can better reflect the risk posed to patient safety by a medical device vulnerability that was scored with and without using the new FDA rubric;
- How the new rubric can aid in the public disclosure of medical device security vulnerabilities;
- How the use of the FDA resource can provide better insight to healthcare entities addressing vulnerabilities in medical devices used in their environments.
As head of research at CyberMDX, a healthcare sector security vendor, Luz oversees medical device vulnerability and protocol research in controlled laboratory environments. Having uncovered several highly publicized vulnerabilities in the last two years, Luz has become a vocal advocate for tighter pre-market and post-market security alignment, a better understanding of the unique implications inherent to vulnerabilities in medical environments, and stronger governmental oversight.