Regulatory Focus™ > News Articles > 2019 > 1 > FDA-tasked Mitre Forges Ahead with Cyber Vulnerability Scoring System Tailored to Devices

FDA-tasked Mitre Forges Ahead with Cyber Vulnerability Scoring System Tailored to Devices

Posted 31 January 2019 | By Ana Mulero 

FDA-tasked Mitre Forges Ahead with Cyber Vulnerability Scoring System Tailored to Devices

Under a US Food and Drug Administration (FDA) contract, a new rubric developed by the Mitre Corporation is the first-of-its-kind to be specifically tailored to medical devices, and is set to take the form of a medical device development tool (MDDT) to ensure consistency in scoring cybersecurity risks.

The common vulnerability scoring system (CVSS) open standard for assessing software vulnerability severity has seen widespread use on an international scale since its 2005 initial release, but it had not been calibrated for health care-specific risk metrics until now. The draft version of Mitre’s document that set forth the new first-of-its-kind rubric for applying CVSS to medical devices was released for comment earlier this month and discussed by participants at a two-day FDA public workshop this week.

The medical devices rubric is comprised of a series of questions at decision points for each CVSS vector element, Mitre information technology and cybersecurity integrator Penny Chase explained during the workshop on FDA’s October 2018 draft guidance on cybersecurity management. It includes considerations that are relevant to device manufacturers and health care delivery organizations (HDO), such as patient safety and device-specific examples.

“When the answer to a question suggests that the vulnerability might have an adverse effect on patient safety, there is an explicit notice that the analyst might need to perform a safety-oriented hazards analysis to determine whether the issue must be reported” to FDA’s Center for Devices and Radiological Health (CDRH) as covered in CDRH’s postmarket cybersecurity final guidance, the rubric states. Such items are marked as PIPS, which stands for “Potential Impact to Patient Safety.”

The rubric speaks to an emerging movement around cybersecurity as a shared responsibility. It would mark the beginning of a consistent approach when assessing urgency of response. For device manufacturers, it holds potential for earlier interventions and cost savings. For FDA, the implications relate to the burden associated with patient safety notices and letters to providers. For HDOs, the rubric would also aid health care providers in prioritizing responses with scores accounting for FDA and/or manufacturer-identified mitigation measures. This would in turn enable HDOs to assess the effectiveness of measures that have already been implemented.

A rubric tailored to medical devices has been greatly anticipated by industry and agency officials. It is intended to help deliver on certain aspects of the revised approach outlined in the recent draft guidance, which proposed updates to 2014 premarket policies for strengthened cybersecurity.

FDA Commissioner Scott Gottlieb noted that the workshop highlighted “three cornerstones of medical device cybersecurity: Trustworthiness. Transparency. Resilience.” These informed new themes in the draft guidance. “When implemented in the premarket phase, these principles help ensure stronger device security across a product’s use life,” Gottlieb said. The rubric seeks to deliver on these principles.

To develop the rubric, Mitre launched an investigation on how the lack of consistency across the medical device ecosystem in conveying vulnerability severity can potentially result in inaccurate risk scores. It formed a new working group about two years ago that helped inform the rubric’s development, with participation ranging from FDA and medical device manufacturers to HDOs and security experts, Mitre principal information security engineer Steve Christey Coley told Focus

The goal is to have the rubric qualified under CDRH’s MDDT program “to help the community develop more useful risk metrics that also can be supplied as regulatory evidence” to FDA, CDRH and Mitre leadership noted in a 2018 article published in an Association for the Advancement of Medical Instrumentation peer-reviewed journal on the evolving state of medical device cybersecurity.

The MDDT program was operationalized in recent years and has not seen much action since then. The second MDDT to receive FDA qualification—a 21-item questionnaire on quality of life in heart failure patients—was announced last May. Still, FDA is committed to further program growth.

Chase told Focus that Mitre submitted its proposal last year to have the rubric prequalified and subsequently received the go ahead to submit a prequalification package to the MDDT panel. “So, what we’re doing over the next couple of months is finishing up that prequalification package and a large part of that is going to be conducting additional evidence-gathering pilots to address some of the questions that the MDDT panel has about the broad applicability of the rubric to a wide range of prices,” Chase said.

If everything pans out in the upcoming months, the rubric will become the third FDA-qualified MDDT for public use by the end of this year. Further, MDDT qualification will enable a standardized approach for manufacturers to assess potential cybersecurity risk in the product development phase consistent with the idea of security by design.

As part of FDA's revamped approach, Mitre was previously tasked with developing a medical device cybersecurity regional incident preparedness and response playbook in collaboration with the agency. CDRH's draft guidance on premarket cybersecurity was released shortly after this playbook last October. Yet another FDA-Mitre collaboration already underway is intended to pilot the development of a CyberMed Safety (Expert) Analysis Board—a pillar of the cybersecurity framework under FDA’s medical device safety action plan.

Regulatory Focus newsletters

All the biggest regulatory news and happenings.

Subscribe