In late 2020, the U.S. Food and Drug Administration’s (FDA) Medical Device Development Tools (MDDT) Program announced their qualification of a new tool for medical device development within cybersecurity risk evaluations. This new tool, “Rubric for Applying the Cybersecurity Common Vulnerability Scoring system (CVSS) to Medical Devices” (i.e., The Mitre Rubric version 0.12.04) was released in September 2019 by The MITRE Corporation. In conjunction with the qualification of this tool, the FDA has also recognized the cybersecurity standard FiRST CVSS v3.0 Common Vulnerability Scoring System version 3.0.
The Common Vulnerability Scoring System (CVSS), initially developed for enterprise information technology systems, provides consistency and a standardized way of communicating severity and vulnerability to all parties involved with medical device development. This includes stakeholders such as medical device manufacturers, hospitals, clinicians, patients, the National Cybersecurity and Communications Integration Center (NCCIC) and vulnerability researchers.
The FDA notes CVSS as an example for utilization in assessing the severity of vulnerabilities as part of the pre- and post-market risk assessment process, but the agency does not adequately address the clinical environment and potential patient safety impacts. Therefore, the FDA has contracted with the MITRE Corporation to address these challenges in order to tie the vulnerability assessment back to the clinical environment to help evaluate potential impacts to patient safety.
MITRE Corporation, in collaboration with multiple stakeholders and experts, has developed the rubric that provides guidance for analysts using CVSS to better assess medical device risks.
Structured as a series of questions along the decision pathway, the rubric includes:
- Customized, Healthcare Delivery Organization (HDO): specific guidance that is not included in the original specification
- Device-specific examples
- Discussion of difficulties in: (1) repeatability of the rubric and/or; (2) conformance to the spirit of the original CVSS v3.0 specification
- Consideration of many perspectives that would be relevant to a medical device manufacturer or an HDO, including: (1) patient safety; and (2) patient/clinician privacy
- Visual guides in the form of “decision trees” or “flow charts” to simplify the process
CVSS also has its own rubric and series of structured questions; ultimately, a CVSS score between 0 and 10 is calculated.
Pilot studies for the rubric also included utilization of CVSS. Comments from study participants indicated that the use of the rubric was more complex than using CVSS alone. However, participants found that the use of the rubric:
- Allowed for the refinement of discussions and forced teams to think systematically (this made the scoring process more repeatable, consistent and accurate)
- Assisted study participants in coming to agreement more quickly when discussions focused on healthcare and patient safety impacts
- Served as a useful tool for communicating to customers regarding the value of using recommended mitigations to address potential impacts of vulnerabilities
Per the FDA, this technique is not suitable for estimating the impact and urgency of a ‘chained’ vulnerability attack, whereas a series of individual vulnerabilities in a single platform are used to systematically degrade a security architecture. This is conducted by simultaneously lowering the architecture’s defenses until the attacker has revealed the invisible attack route.
In conclusion, the combined use of the rubric tool and the CVSS standard provides a common reference framework for medical device manufacturers and others in the medical device supply chain when discussing the severity and impact of cyber vulnerabilities in released devices. Using the tool in a consistent manner allows all interested parties to align with the FDA’s guidance for pre- and post-market management of medical device cybersecurity.
Helpful Links:
- The Mitre Corporation Rubric
- FiRST Common Vulnerability Scoring System (CVSS-SIG)
- FDA Summary
- FDA’s Medical Device Development tools (MDDT) Program
- Webinar: SaMD Product Development–Addressing Challenges through Early Integration of Regulatory, Quality and Clinical Data Strategies
How can NAMSA Help?
If your software product meets the FDA’s definition of a medical device, NAMSA’s software experts can collaborate with your team to mitigate risk related to cybersecurity and other areas of concern.
NAMSA is the industry leader in driving successful regulatory outcomes through effective interactions with the FDA. In fact, our internal teams of medical device development experts communicate with the FDA nearly every day. From Pre-Submission meetings – to Pre-IDE preparation – and FDA inspection preparation, our teams are the most experienced in industry at accelerating regulatory submissions and approvals for device manufacturers. This expertise has been proven to save medical device organizations up to $17M in costs and 23 months in development timelines.
If you are interested in speaking with us about FDA-related activities or other global regulatory strategies, please contact us at: https://www.namsa.com/contact-us.
Lezlie Hynes
Lezlie Hynes, MT (ASCP), CQA, CSQE currently serves as a Principal Quality Systems Consultant at NAMSA. Lezlie has over 30 years’ experience in the fields of medical device, HCT/P and hospital and reference laboratory industries, primarily in Quality Systems. Her focus is working with Clients—ranging from small start-up to large companies—to develop and maintain quality systems and move products to market. A special focus has been working with Clients to implement and validate computerized systems and assist in product development for SaMD and SiMD products.