The U.S. Food and Drug Administration (FDA) has recently approved the use of a new tool for assigning vulnerability scores to medical devices according to a redesigned rubric.
The new rubric, designed by the MITRE Corporation, was initially developed last year with the goal of allowing more relevant and effective CVSS scoring of medical devices during the development and testing phases. Last October the FDA approved the tool for better, more reliable scoring of medical devices.
The Need for a Better CVSS
The main motivator behind having a redesigned rubric for vulnerability score is that the Common Vulnerability Scoring System (CVSS) wasn’t able to properly assess medical devices, ignoring the environment and context of their use. In fact, the original CVSS focused on vulnerabilities found on IT systems and much less on those in medical devices and industrial control systems.
Knowing this, the FDA chose the MITRE Corporation for the development of a new rubric that would focus exclusively on scoring medical device vulnerabilities, creating a uniform process along with CVSS v3.0, opening a door to the development of safer products in the near future.
Understanding the New MDDT
The new rubric, designed as a Medical Device Development Tool (MDDT), will now allow the FDA to successfully evaluate upcoming medical devices and determine their stability and reliability in their specified context of use. The result will be the CVSS score, based on the renewed criteria.
The decision to order and approve this new rubric will make development, assessment, and approval processes faster and more precise. The vendors will now be able to communicate with the FDA measurements based on the new rubric about their devices, making pre-market security and risk assessments more agile and relevant.
This common framework will bring positive consequences to all parties involved: the FDA, vendors, and final users. New developments in medical devices will be faster and safer, reaching the market in less time without implying serious liabilities.
New technologies and ways to work with them create challenges that this fresh rubric is aiming to tackle. While, in the past, some medical devices have been rated as highly secure during FDA testing phases, these haven’t been put under the stress of new methodologies such as remote code and access. The goal was to have a framework that successfully addresses these aspects in every device.
Also important, the previous rubric used for CVSS scoring wasn’t designed for medical devices, something that had abundant implications when assessing new development in this very specific context. This created a general impression of the risk that a new medical device implied yet not a practical one.
The environmental metric group in the recently-approved rubric aims to overcome this challenge by adjusting the CVSS score to specific use cases, taking into account the environment and circumstances where the devices are being used. This point alone will create a better picture of the risk posed by the product.