Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 32451
A Medical Vulnerability Scoring System Incorporating Health and Data Sensitivity Metrics

Authors: Nadir A. Carreón, Christa Sonderer, Aakarsh Rao, Roman Lysecky


With the advent of complex software and increased connectivity, security of life-critical medical devices is becoming an increasing concern, particularly with their direct impact to human safety. Security is essential, but it is impossible to develop completely secure and impenetrable systems at design time. Therefore, it is important to assess the potential impact on security and safety of exploiting a vulnerability in such critical medical systems. The common vulnerability scoring system (CVSS) calculates the severity of exploitable vulnerabilities. However, for medical devices, it does not consider the unique challenges of impacts to human health and privacy. Thus, the scoring of a medical device on which a human life depends (e.g., pacemakers, insulin pumps) can score very low, while a system on which a human life does not depend (e.g., hospital archiving systems) might score very high. In this paper, we present a Medical Vulnerability Scoring System (MVSS) that extends CVSS to address the health and privacy concerns of medical devices. We propose incorporating two new parameters, namely health impact and sensitivity impact. Sensitivity refers to the type of information that can be stolen from the device, and health represents the impact to the safety of the patient if the vulnerability is exploited (e.g., potential harm, life threatening). We evaluate 15 different known vulnerabilities in medical devices and compare MVSS against two state-of-the-art medical device-oriented vulnerability scoring system and the foundational CVSS.

Keywords: Common vulnerability system, medical devices, medical device security, vulnerabilities.

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 589


[1] Ralston, P.A., Graham, J.H. and Hieb, J.L., “Cyber security risk assessment for SCADA and DCS networks”, ISA transactions, 46(4), pp.583-594, 2007.
[2] Vellaithurai, C., Srivastava, A., Zonouz, S. and Berthier, R., “CPIndex: Cyber-physical vulnerability assessment for power-grid infrastructures”, IEEE Transactions on Smart Grid, 6(2), pp.566-575, 2014.
[3] Collier, Z.A., DiMase, D., Walters, S., Tehranipoor, M.M., Lambert, J.H. and Linkov, I., “Cybersecurity standards: Managing risk and creating resilience”, Computer, 47(9), pp.70-76, 2014.
[4] DeSmit, Z., Elhabashy, A.E., Wells, L.J. and Camelio, J.A., “An approach to cyber-physical vulnerability assessment for intelligent manufacturing systems”, Journal of Manufacturing Systems, 43, pp.339-351, 2017.
[5] The MITRE Corporation, “Rubric for applying CVSS to Medical Devices”, October 27 2020, (Online), Available:, Accessed: January 2021.
[6] QED Secure Solutions, “Risk Scoring System for Medical Devices”, 2019, (Online), Available:, Accessed: January 2020.
[7] FDA - U.S. Food and Drug Administration, “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices”, 2005, (Online), Available:, Accessed: January 2020.
[8] FDA - U.S. Food and Drug Administration, “Postmarket Management of Cybersecurity in Medical Devices”, 2016, (Online), Available, Accessed: January 2020.
[9] Department of Health and Human Services. Health insurance reform: security standards; final rule. Fed Regist 2003;68(34): 8334-81.
[10] Inc., “Common Vulnerability Scoring System v3.1”, 2019, (Online), Available:, Accessed: January 2020.
[11] Winkler, W. E., "String Comparator Metrics and Enhanced Decision Rules in the Fellegi-Sunter Model of Record Linkage", 1990, Proceedings of the Section on Survey Research Methods. American Statistical Association: 354–359.
[12] Hospira Infusion pump
[13] Becton Dickinson Syringe pump
[14] Qualcomm Datacaptor Terminal Server (DTS)
[15] Medtronic MyCare Patient Monitor
[16] Phillips Cardiograph
[17] Phillips CT Scanner
[18] Medtronic insulin pump
[19] Johnson & Johnson Insulin pump
[20] Phillips Medical imaging archiving communications systems
[21] Abott Pacemaker
[22] Smiths Infusion pump
[23] Medtronic Conexus Radio Frequency Telemetry Protocol
[24] Medtronic 9790, 2090 CareLink, and 29901 Encore Programmers
[25] Abbot Defibrillator
[26] HealthSuite Health Android App
[27] Ian Stine, M. Rice, S. Dunlap, and J. Pecarina. “A cyber risk scoring system for medical devices”. Int. J. Crit. Infrastruct. Prot. 19, C (December 2017), 32–4.
[28] ICS-CERT Advisories (Online),, Accessed: January 2021.
[29] FDA Abott Pacemaker Recall