The interest in medical device cybersecurity is rapidly increasing. Fortunately, so far, there are no publicly-reported incidents in which compromised devices were known to adversely affect patient safety, but nobody wants to see such an event take place. Vulnerabilities -- flaws in coding or misconfigurations -- are discovered throughout the lifecycle of medical devices. Attackers exploiting these vulnerabilities can steal PHI, use a device as an entry point into a hospital network, or intentionally cause patient harm or interfere with treatment.
All stakeholders need to assess the severity and risk of these vulnerabilities, but they have different perspectives and needs. Manufacturers want to prioritize vulnerabilities and determine if an emergency patch is needed or if the fix can be folded into the regular maintenance program.
Manufacturers know how to perform safety analysis with respect to intended use and accidental misuse, but now they must extend their analysis to consider the impact of the malicious misuse of a sentient adversary, and they must perform such analysis in two different time frames: pre-market (before submitting the device for FDA approval) and post-market (after vulnerabilities have been discovered). Security researchers know how to discover vulnerabilities, but they might not have the knowledge or context to link their technical findings to a real-world clinical impact, and a device’s own safety-oriented architecture might prevent vulnerabilities from affecting patient safety. Healthcare providers want to know if their devices are at risk and if their compensating controls are sufficient or need to be increased.
While clinical engineers already have a full plate managing day-to-day risk such as alert fatigue, they also must determine how to prioritize and mitigate new vulnerabilities with respect to patient safety, in light of potentially hyped or inaccurate information. Further, hospitals may be required to perform risk assessment along other dimensions such as HIPAA compliance, clinical usefulness, and the role of medical devices as pivot points for attacking other IT assets. Patients want to weigh the risks of being treated with the devices. Finally, the FDA wants to know if they need to act, perhaps by issuing a safety communication or even recalling the device.
In support of the FDA’s Center for Devices and Radiological Health (CDRH), MITRE is working with the medical device community to adapt CVSS for medical devices. We will leverage other severity and risk scoring systems to take into account such elements as intrinsic and external controls, and the impact on patient safety. In particular, we're looking at the Common Weakness Scoring System (CWSS) and the associated Common Weakness Risk Assessment Framework (CWRAF).
We will describe how CVSS and other IT-oriented mechanisms may help in performing more consistent risk assessment of medical devices across multiple stakeholders. We will also cover problem areas that cannot be addressed by traditional IT-based approaches. Our talk is intended to inform and engage with researchers, manufacturers, clinical engineers, patients, and interested parties from other industries for which physical safety and cybersecurity are intertwined.