Newly updated Food and Drug Administration guidelines will help experts to more accurately score and communicate the criticality of security vulnerabilities identified in medical devices, says Elad Luz of security research firm CyberMDX.
The FDA's new resource, "Rubric for Applying the Cybersecurity Common Vulnerability Scoring System To Medical Devices," was developed by the agency and Mitre Corp and unveiled in October.
When used together with the cybersecurity standard CVSSv3.0, the FDA tool provides a common framework for risk evaluation and more accurate severity scoring of security vulnerabilities identified in medical devices, by researchers such as Luz, as well as manufacturers, regulators and others, he says.
"CVSS is a widely adopted method for evaluating software vulnerabilities," including those used in more general IT products, he notes.
"The problem is that when you use CVSS for medical devices ... you will find unclear areas" that cause disagreements among researchers, manufacturers and regulators about the severity of security vulnerabilities identified in healthcare gear and the risk to patient safety, he says.
"For example, CVSS measures potential impact on confidentiality, integrity and availability of a device. But the problem is that [CVSS scores alone] do not speak about patient safety or calculate things like life threats," he says.
In the interview (see audio link below photo), Luz also discusses:
Support the originator by clicking the read the rest link below.
