At Harbor Labs, we are both advocates and purveyors of the Common Vulnerability Scoring System (CVSS). We include CVSS 3.0 scoring in all our medical analytic work products and apply it to every vulnerability identified by our automated security analysis and reporting systems, FirwmareIQ™ and Postmarket Surveillance™. Having investigated the methodologies and logic used by the CVSS consortium to derive its scoring, we found them to be sound and well-researched. In our experience, these scores are invaluable to our medical clients, giving them a metric for identifying and accurately prioritizing those security issues most likely to pose a cybersafety risk to their patients. They further help in informing the remediation measures that require the most urgent attention.
But even with our support for CVSS, Harbor Labs still asserts that these scores should be regarded as informational, not as an absolute data value. They are intended to inform and alert to the potential severity of a vulnerability, but provide no context specific to the system or use case. The scores within the CVSS scales are not meant to be interpreted as ratios of one another, or as relative values. A vulnerability with a CVSS of 8.4, for example, is not necessarily twice as severe as a CVSS of 4.2. CVSS information should be analyzed within the context of the threat model and concept of operations for the target system. A CVSS of 2.4 might require immediate attention if it has the ability to chain to another attack which stops actuation or otherwise alters the intended therapy of the system. A CVSS of 9 that pertains to a function in a library may be irrelevant if the target system uses the library, but not that particular function. These numbers inform, but a cybersecurity professional, and perhaps a healthcare professional, is still required to interpret them and draw the appropriate conclusions.
Nonetheless, our advocacy for CVSS comes after considering many other proprietary methodologies for generating security scores. While these other scoring systems may all be well suited for a specific tool, market, or operational setting, they rarely have portability or intuitive meaning outside of that specific environment. The CVSS standard, in contrast, is supported across multiple industries and used by security professionals in a broad set of technology markets. CVSS is the most logical scoring methodology to use in the medical device community, as the functionality, operating systems, software components and operational characteristics of clinical devices are very similar to other IOT environments for which CVSS was intended. Moreover, the CVSS scoring methodology lends itself to market-specific modification, allowing for the overlay of patient risk parameters to a CVSS score that allows for medical device vulnerabilities that impact patient safety to be given a higher priority than they might otherwise receive. Scoring rubrics that combine traditional CVSS scoring and patient risk have already been developed and endorsed by regulators.
During a conversation on medical device security scoring, I once heard an FDA policy analyst say, “A patient can’t be rebooted”. And indeed, a CVSS score that might only require a simple fix on a typical IOT endpoint could pose a severe risk to patient health if occurring on a medical device. It is for this reason that Harbor Labs will continue to work with the medical device, security, and regulatory communities to advance the CVSS standard, and take it to a level where it provides accurate security scoring in a patient-safety context.