A Medical Vulnerability Scoring System Incorporating Health and Data Sensitivity Metrics
With the advent of complex software and increased connectivity, security of life-critical medical devices is becoming an increasing concern, particularly with their direct impact to human safety. Security is essential, but it is impossible to develop completely secure and impenetrable systems at design time. Therefore, it is important to assess the potential impact on security and safety of exploiting a vulnerability in such critical medical systems. The common vulnerability scoring system (CVSS) calculates the severity of exploitable vulnerabilities. However, for medical devices, it does not consider the unique challenges of impacts to human health and privacy. Thus, the scoring of a medical device on which a human life depends (e.g., pacemakers, insulin pumps) can score very low, while a system on which a human life does not depend (e.g., hospital archiving systems) might score very high. In this paper, we present a Medical Vulnerability Scoring System (MVSS) that extends CVSS to address the health and privacy concerns of medical devices. We propose incorporating two new parameters, namely health impact and sensitivity impact. Sensitivity refers to the type of information that can be stolen from the device, and health represents the impact to the safety of the patient if the vulnerability is exploited (e.g., potential harm, life threatening). We evaluate 15 different known vulnerabilities in medical devices and compare MVSS against two state-of-the-art medical device-oriented vulnerability scoring system and the foundational CVSS.Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 444
 Ralston, P.A., Graham, J.H. and Hieb, J.L., “Cyber security risk assessment for SCADA and DCS networks”, ISA transactions, 46(4), pp.583-594, 2007.
 Vellaithurai, C., Srivastava, A., Zonouz, S. and Berthier, R., “CPIndex: Cyber-physical vulnerability assessment for power-grid infrastructures”, IEEE Transactions on Smart Grid, 6(2), pp.566-575, 2014.
 Collier, Z.A., DiMase, D., Walters, S., Tehranipoor, M.M., Lambert, J.H. and Linkov, I., “Cybersecurity standards: Managing risk and creating resilience”, Computer, 47(9), pp.70-76, 2014.
 DeSmit, Z., Elhabashy, A.E., Wells, L.J. and Camelio, J.A., “An approach to cyber-physical vulnerability assessment for intelligent manufacturing systems”, Journal of Manufacturing Systems, 43, pp.339-351, 2017.
 The MITRE Corporation, “Rubric for applying CVSS to Medical Devices”, October 27 2020, (Online), Available: https://www.mitre.org/sites/default/files/publications/pr-18-2208-rubric-for-applying-cvss-to-medical-devices.pdf, Accessed: January 2021.
 QED Secure Solutions, “Risk Scoring System for Medical Devices”, 2019, (Online), Available: https://www.riskscoringsystem.com/medical/, Accessed: January 2020.
 FDA - U.S. Food and Drug Administration, “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices”, 2005, (Online), Available: http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm089593.pdf, Accessed: January 2020.
 FDA - U.S. Food and Drug Administration, “Postmarket Management of Cybersecurity in Medical Devices”, 2016, (Online), Available http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf, Accessed: January 2020.
 Department of Health and Human Services. Health insurance reform: security standards; final rule. Fed Regist 2003;68(34): 8334-81.
 FIRST.org Inc., “Common Vulnerability Scoring System v3.1”, 2019, (Online), Available: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf, Accessed: January 2020.
 Winkler, W. E., "String Comparator Metrics and Enhanced Decision Rules in the Fellegi-Sunter Model of Record Linkage", 1990, Proceedings of the Section on Survey Research Methods. American Statistical Association: 354–359.
 Hospira Infusion pump https://www.us-cert.gov/ics/advisories/ICSA-15-174-01
 Becton Dickinson Syringe pump https://www.us-cert.gov/ics/advisories/ICSMA-18-235-01
 Qualcomm Datacaptor Terminal Server (DTS) https://www.us-cert.gov/ics/advisories/ICSMA-18-240-01
 Medtronic MyCare Patient Monitor https://www.us-cert.gov/ics/advisories/ICSMA-18-179-01
 Phillips Cardiograph https://www.us-cert.gov/ics/advisories/ICSMA-18-228-01
 Phillips CT Scanner https://www.us-cert.gov/ics/advisories/ICSMA-18-123-01
 Medtronic insulin pump https://www.us-cert.gov/ics/advisories/ICSMA-18-219-02
 Johnson & Johnson Insulin pump https://www.us-cert.gov/ics/advisories/ICSMA-16-279-01
 Phillips Medical imaging archiving communications systems https://ics-cert.us-cert.gov/advisories/ICSMA-18-088-01
 Abott Pacemaker https://www.us-cert.gov/ics/advisories/ICSMA-17-241-01
 Smiths Infusion pump https://www.us-cert.gov/ics/advisories/ICSMA-17-250-02A
 Medtronic Conexus Radio Frequency Telemetry Protocol https://www.us-cert.gov/ics/advisories/ICSMA-19-080-01
 Medtronic 9790, 2090 CareLink, and 29901 Encore Programmers https://www.us-cert.gov/ics/advisories/ICSMA-18-347-01
 Abbot Defibrillator https://www.us-cert.gov/ics/advisories/ICSMA-18-107-01
 HealthSuite Health Android App https://ics-cert.us-cert.gov/advisories/ICSMA-18-340-01
 Ian Stine, M. Rice, S. Dunlap, and J. Pecarina. “A cyber risk scoring system for medical devices”. Int. J. Crit. Infrastruct. Prot. 19, C (December 2017), 32–4.
 ICS-CERT Advisories (Online), https://us-cert.cisa.gov/ics/advisories, Accessed: January 2021.
 FDA Abott Pacemaker Recall https://www.fda.gov/medical-devices/medical-device-recalls/abbott-formally-known-st-jude-medical-recalls-assuritytm-and-enduritytm-pacemakers-potential