28 October 2020 - October is National Cybersecurity Awareness month, so we think there is no better time to talk about FDA’s new qualified tool for assessing medical device cybersecurity vulnerabilities and why using it makes sense to help you #BeCyberSmart.
By: Ryan Satterly, R&Q Project Engineer
What does cybersecurity have to do with medical devices?
An April 2020 report by cybersecurity company RiskIQ states that ransomware assaults on healthcare facilities increased by 35% between 2016 and 2019. [1] According to a CBS News research article, Dr. Suzanne Schwartz, who oversees medical device cybersecurity at the U.S. Food & Drug Administration (FDA) says that "any device can be hacked and that's often not understood." [2] Hackers can attack hospital systems thereby making them useless, in hopes of receiving a ransom before allowing users to regain access.
If a medical device uses software or firmware, it provides a mechanism for hackers to access entire hospital networks. As a response to this alarming trend, FDA and other regulatory agencies are expecting medical device manufacturers to reduce cybersecurity vulnerabilities in their devices. One tool to assess cybersecurity vulnerabilities is the Common Vulnerability Scoring System (CVSS).
FDA qualification of CVSS
FDA's Medical Device Development Tools (MDDT) program allows FDA to qualify tools that medical device manufacturers can use in the development and evaluation of medical devices. In October 2020, the rubric for applying CVSS to Medical Devices was qualified by FDA.
What is CVSS and why does it exist?
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Using an equation, CVSS assigns severity scores to vulnerabilities to provide users a way to prioritize responses.
CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization. Additional information about CVSS, as well as the most current CVSS resources, can be found on FIRST's website here.
Challenges of CVSS applied to medical devices
While CVSS does provide a standardized vulnerability scoring methodology, it was developed for enterprise information technology systems and does not reflect the clinical environment of a medical device. As a result, the MITRE Corporation, under contract to FDA, developed a rubric that provides guidance for how CVSS can be used as part of a risk assessment for a medical device.
The rubric includes necessary information (scoring guidance, output of the rubric and base, temporal and environment metric groups) to help medical device manufacturers apply CVSS to their devices. It also uses questions for each vector, making it easier for manufacturers to input the appropriate information into the tool.
My experience with CVSS
In 2019, an R&Q client was audited by FDA and received a subsequent warning letter, which included gaps in the process for assessing cybersecurity vulnerabilities. In collaboration with FDA, the client upgraded their cybersecurity and risk management procedures to improve integration and we tested the new procedures from a risk management perspective.
We received a threat model created by the product security team using CVSS version 3.0 and used the results as input to the risk assessment. We then provided an example back to FDA so they could see the result of the procedural relationship between security and risk. Their biggest piece of advice was to assess these safety risks as standalone devices, as well as large groups. FDA wanted to make sure that my client thought about "what happens if a hacker has access to or shuts down all the devices in an entire hospital or multiple facilities?"
What does this mean for you?
FDA's draft guidance for management of cybersecurity in medical devices applies to all devices that contain software (including firmware) or programmable logic as well as software that is a medical device. If you are a manufacturer of a device that falls into this category, you will need to assess vulnerabilities and translate those into potential safety risks.
Conclusion
We recommend that medical device manufacturers utilize the qualified CVSS rubric and have open discussions with FDA. Use Q-sub meetings to discuss your procedural approach for identifying vulnerabilities and reducing safety risks. Manufacturers choosing to use this tool will already be aligned with FDA and it should make at least part of your pre-market documentation review a little easier, assuming you use the tool as intended.
Check out FDA's cybersecurity resources as they promote October being cybersecurity awareness month!
Have questions? R&Q has answers and is available to help you keep your devices safe and effective... and your business grow. Our dedicated (and highly qualified/proficient) team stays on top of the newest regulations, industry trends, and uses our industry connections to grasp what our competition might not. Learn more about how we can help here.
More resources at your fingertips.
Subscribe to the R&Q Resources blog for all upcoming and on-demand education available from R&Q, including industry-leading webinars, biweekly RQM+ Live! shows, commentary from our thought leaders, Q&A features, and more.
Sources:
[1] RiskIQ. RISKIQ I3 INTELLIGENCE BRIEF: Ransomware in Health Sector 2020: A Perfect Storm of New Targets and Methods. Published 9 April 2020. Accessed 24 October 2020. https://www.riskiq.com/wp-content/uploads/2020/04/Ransomware-in-Health-Sector-Intelligence-Brief-RiskIQ.pdf
[2] CBS News. How medical devices like pacemakers and insulin pumps can be hacked. Published 8 November 2018. Accessed 24 October 2020. https://www.cbsnews.com/news/cybersecurity-researchers-show-medical-devices-hacking-vulnerabilities/
[3] U.S. Food and Drug Administration (FDA). Cybersecurity. Current as of 22 October 2020. Accessed 24 October 2020. https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity#guidance
[4] U.S. Food and Drug Administration (FDA). Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Draft Guidance for Industry and Food and Drug Administration Staff. Published 18 October 2018. Accessed 24 October 2020. https://www.fda.gov/media/119933/download
[5] U.S. Food and Drug Administration (FDA). MDDT Summary of Evidence and Basis of Qualification (SEBQ). MDDT SUMMARY OF EVIDENCE AND BASIS OF QUALIFICATION DECISION FOR
RUBRIC FOR APPLYING CVSS TO MEDICAL DEVICES VERSION: 0.12.04. Published 3 September 2019. Accessed 24 October 2020. https://www.fda.gov/media/143131/download?utm_medium=email&utm_source=govdelivery
[6] U.S. Food and Drug Administration (FDA). Medical Device Development Tools (MDDT). Current as of 20 October 2020. Accessed 24 October 2020. https://www.fda.gov/medical-devices/science-and-research-medical-devices/medical-device-development-tools-mddt
[7] Christey Coley, Steve and Chase, Penny. MITRE Corporation. Rubric for Applying CVSS to Medical Devices Version: 0.12.04. Published 3 September 2019. Accessed 24 October 2020. https://www.mitre.org/sites/default/files/publications/pr-18-2208-rubric-for-applying-cvss-to-medical-devices.pdf