Software Integrity Blog


New risk assessments for old medical device security flaws

On Wednesday, representatives from MITRE proposed risk assessments for medical devices using existing frameworks.

Presenting at SOURCE Boston Penny Chase and Steve Christey Coley, of the MITRE Corporation noted that that medical devices incorporate the use of third-party software, operating systems, and workstations; are subject to regulation, which can limit ability to patch and reconfigure them; are exposed to limited clinical trials, so many flaws aren’t discovered until devices are on the market, and are often made by manufacturers who don’t incorporate security testing.

Synopsys recently found one medical product had 1418 vulnerabilities.

Chase and Coley, in their talk “Toward Consistent, Usable Security Risk Assessment of Medical Devices”, said determining risk requires, “a delicate balance of security, safety and privacy – they overlap. “Each can interfere with the other,”said Chase, according to CSO Online. “You don’t want the AV (antivirus) firing during surgery.”

The greater good of the use of a device often offsets the small risk of compromise.

Nonetheless there are efforts to adapt MITRE’s Common Vulnerability Scoring System (CVSS) to healthcare. This would focus the scoring what the actual impact of a vulnerability would be for patient safety, and put it into the context of its value to the providers and patients.

Often a “base score” can exaggerate the risk because it is assessed generally and not in context.

Context, Chase and Coley said, could be found in other frameworks like the Common Weakness Scoring System (CWSS) and the related Common Weakness Risk Assessment Framework (CWRAF).

“The goal is to take the environment into consideration along with the base score,” Coley said. “We don’t want FUD (fear, uncertainty and doubt) to make patients fearful of life-saving therapy.”


More by this author