CVSSv3.0 Based Cybersecurity Tool for Medical Devices

by | Oct 30, 2020 | Cybersecurity, Digital Health, Medical Devices, Quality, Regulatory

Continuously growing elements of the Industry 4.0 are the bits and bytes, or data. With platforms like Internet of Things and Cloud, on average, an individual is producing 1.70 megabytes of data every second.1 With such massive dataflows which also includes private and critical data, network plus data security becomes one of the key layers in any application or device architecture. This layer constitutes the platform of Cybersecurity and is vital when used in the medical and health industries.

To benchmark the implemented levels of Cybersecurity in a system, the FDA approved a novel rubric developed by MITRE Corp. for measuring the implemented Cybersecurity levels in medical devices. This rubric is used in conjunction with the Common Vulnerability Scoring System or CVSS version 3.0, which is an open and free industry standard for detecting and prioritizing risks or data vulnerabilities. The CVSS was developed specifically for Information Systems and did not provide or address the environmental details in which medical devices are built. The accepted rubric mitigates this issue, resulting in CVSS able to be utilized for medical devices as the environment in which these devices are built becomes a part of the hazard analysis or risk assessment.2

FDA’s accepted novel rubric includes customized questions that are recorded by analysts, along with Subject Matter Experts (SMEs), at several decision points. These decision points resemble questions which are placed in a Decision flowchart. These flowcharts offer a logical flow of all device actions and functions. Indeed, there may be a case where a question has multiple answers. In such cases, the rubric guides you to select the worst-case answer. Each answer is mapped to a score which is given by the rubric along with CSSV scores. The major target of all these questions and answers is to keep following the root cause, which may be the actual vulnerability and an open point for multiple cyber-attacks. Each vulnerability should be treated as an individual element, and utilizing the rubric along with the CVSS 3.0 produces a score that indicates the level of threat to the device for each element. In cases where the rubric does not assist with assigning a score, the CSSV 3.0 table can be referred to for guidance on scoring.3

Even though the rubric provides a way to label and prioritize system vulnerabilities, users can proactively take some actions to avoid data breaches and unauthorized user access. For example, while selecting the technology stack, the latest tech-stacks should be selected as older versions may not even recognize new malware and ransomware. Current Cybersecurity frameworks that are accepted by the FDA should be utilized while adding medical device security measures. Moreover, users including patients, healthcare personnel, and manufacturers should be trained to avoid unauthorized access to users outside the system. Lastly, the implemented tool may itself be a software, and therefore when running in a medical setting should be FDA compliant, meaning the software has been sufficiently tested, documented, captures all potential hazards, and most significantly, meets all FDA regulatory guidelines.

To summarize, Cybersecurity is critical while designing, developing, and deploying medial applications and devices. Also, current tools such as the FDA accepted novel rubric with CSSV3 should be utilized to prioritize vulnerabilities. Do you have a Cybersecurity based medical device that needs FDA approval? Our regulatory experts at EMMA International can help ensure your system is FDA compliant. Contact us at 248-987-4497 or info@emmainternational.com  for additional information.


1Jacquelyn Bulao (September 2020. How Much Data Is Created Every Day in 2020? Retrieved on October 25th, 2020 from https://techjury.net/blog/how-much-data-is-created-every-day/#gref.

2FDA (October 22nd, 2020). Cybersecurity. Retrieved on October 27th, 2020 from https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity.

3Steve Christey Colley, Penny Chase (October 27, 2020) Rubric for Applying CVSS to Medical Devices. Retrieved on October 28th, 2020 from https://www.mitre.org/sites/default/files/publications/pr-18-2208-rubric-for-applying-cvss-to-medical-devices.pdf

 

Govind Yatnalkar

Govind Yatnalkar

More Resources

FDA Adverse Event Reporting 

FDA Adverse Event Reporting 

When reporting an Adverse Event to the Food and Drug Administration (FDA) the best method is to utilize the FDA Adverse Event Reporting System (FAERS). FAERS is a database that contains adverse event reports, product quality complaints that led to an adverse event, and medication error reports1. All FAERS reports are easily accessible to the public. 
De Novo Classification

De Novo Classification

A device can be registered for the De Novo pathway if there is evidence of the safety and effectiveness of the device and there is not a previously legally marketed predicate device1. When determining if your device can go through the De Novo process there are two pathways available to determine the device classification.
Abbreviated 510k submission

Abbreviated 510k submission

There are three types of 510K, Premarket Notifications, which can be submitted to the Food and Drug Administration (FDA) traditional, abbreviated, and special. Abbreviated and Special 510K submissions can be utilized when the submissions meet the certain factors presented by the FDA. When submitting an abbreviated 510K the submission must include the elements that are identified in 21CFR 807.87 for the information required in a premarket notification submission.

Ready to learn more about working with us?

Pin It on Pinterest

Share This