Cybersecurity Management Expectations Clarified By FDA
The FDA has made it abundantly clear that it expects medical device manufacturers and other life sciences firms to have strong cybersecurity management programs. Since the FDA hasn’t always been clear on what it expects on a granular level the Common Vulnerability Scoring System can provide much needed guidance.
Common Vulnerability Scoring System (CVSS)
The FDA is directing pharmaceutical and medical device manufacturers to an important document from the non-profit FIRST organization that helps manufacturers identify and prioritize risk. It’s called the Common Vulnerability Scoring System (CVSS) v3.0.
We’ve written frequently about the increasing challenges of cybersecurity for medical device, pharmaceutical and utility companies. The challenge is great. The solutions are not always so clear. The CVSS is a welcome addition to the discussion.
The Rise of Cybersecurity Risks
“Software, hardware and firmware vulnerabilities pose a critical risk to any organization operating a computer network, and can be difficult to categorize and mitigate,” the CVSS Specification Document notes.
CVSS Contains 3 Metric Groups
CVSS consists of three metric groups: Base, Temporal, and Environmental.
- The Base group represents the intrinsic qualities of a vulnerability, including attack vector and complexity, and impact on confidentiality, integrity and product availability.
- The Temporal group reflects the characteristics of a vulnerability that may change over time, including remediation level.
- The Environmental group represents characteristics of a vulnerability that are unique to a user’s environment. Factors here include confidentiality, integrity and availability requirements.
Base metrics produce a score ranging from zero to ten. Those scores can then be modified by factoring in Temporal and Environmental metrics.
Standardized Vulnerability Scores
The CVSS provides a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity. CVSS delivers standardized vulnerability scores. That score can in turn be translated into a low, medium, high schematic. Even more helpful, CVSS provides an open framework. Instead of relying on arbitrary scoring by a third party, CVSS offers transparent scores.
Easier To Prioritize Risk
In regard to determining risk management outcomes, the CVSS also makes it much easier to prioritize risk. When the full Environmental score is computed, the vulnerability becomes contextual to each organization. This “helps provide a better understanding of the risk posed by this [specific] vulnerability to the organization,” the document notes.
Organizations Formally Agree To Collaborate Regarding Cybersecurity
Elsewhere, organizations are coming together to help medical device manufacturers better define and understand potential risks. In October, the National Health Information Sharing and Analysis Center (NH-ISAC), the Medical Device Innovation, Safety and Security Consortium (MDISS), and the U.S. Food and Drug Administration (FDA) Center For Devices and Radiological Health (CDRH) signed an agreement to collaborate in several areas, including:
- Creating an environment that fosters stakeholder collaboration and communication,. It should encourage the sharing of information about cybersecurity vulnerabilities that may affect the safety, effectiveness and security of the medical devices, and/or the integrity and security of the surrounding healthcare IT infrastructure;
- Developing awareness of the Framework for Improving Critical Infrastructure Cybersecurity. This is designed to enable stakeholders to successfully adapt and operationalize the framework for their organizations and products;
- Encouraging stakeholders to develop innovative strategies to assess and mitigate cybersecurity vulnerabilities that affect their products; and
- Building a foundation of trust within the community. The hope here is that all healthcare technology and medical device stakeholders can directly benefit from the sharing of cybersecurity vulnerability- and/or threat information, as well as intelligence feeds from other Critical Infrastructure Sectors that may secondarily affect healthcare and the public health.
Is Your Company Ready For A Cyberattack?
Whether it’s a hack of the utility grid or tampering with pharmaceutical or medical device integrity, bad actors are developing more sophisticated tools designed to wreak havoc on operations. Smart companies are taking the necessary steps to clearly define risk. The next step is finding tools and tactics to prevent or mitigate those dangerous threats.
A cyberattack can happen at any time. Medical device manufacturers must have a strong resource that provides critical analysis for effective decision making. An automated quality management system that includes a strong risk management solution like AssurX provides those critical tools when the unthinkable – a cyberattack – occurs.