Conduct Your Risk Assessment Using the CVSS Standard
Management of cybersecurity across the lifecycle of a medical device includes repeat assessments of the device’s vulnerabilities, categorization of their severity, and prioritizing risk mitigation and controls. The FDA encourages the use of accepted standards in the evaluation of medical devices and has selected the Common Vulnerability Scoring System (CVSS) as an appropriate option for cybersecurity risk assessment. The CVSS was originally designed for enterprise IT systems, so the FDA asked the non-profit MITRE Corporation to adapt the standard for use in device evaluation. Their work product is a scoring rubric that is currently available in draft on the MITRE web site. The rubric is a series of structured questions that should be used by a team of subject matter experts (including experts on device design, patient health, and healthcare delivery, as well as IT and cybersecurity) to evaluate each part of a device for cybersecurity vulnerability. Each question includes relevant examples of observed risks in devices to help the team answer the question and score the risk effectively. Use of the rubric within an ISO 14971 compliant risk management process can help manufacturers identify reportable risks to patient safety and assess the effectiveness of mitigation strategies.
You can read Part I of the series here.
Reach out to me if you want to know more or discuss your medical product development challenges.
https://calendly.com/katrinarogers
Text Copyright © 2020 Katrina Rogers