Medical Device HQ logo trans menu

Security: can CVSS be used for medical device software?

cvss-medical-device-software

A part of working in medical device software is security risk assessment. Another one is safety risk assessment. These two require great attention, and should not be done separately, as they are often related to one another.

There is a dilemma when it comes to this. Sometimes, security risk assessment requires certain actions that make sense on their own but prove to be counterproductive when we include safety in the equation. For example, protecting software with a password to prevent a security breach is a logical step until the software is needed in an emergency, to save a human life. In a situation where seconds decide the course of action, typing the password might mean losing a life.

The challenge when working with medical devices is a, sometimes inevitable, conflict between safety and security. This occurs because security features might prevent proper treatment and cause safety issues, and vice versa. In these cases, it might be needed to “sacrifice” security for the sake of safety. Therefore, great importance lies in the interaction between security and safety.

Figure 4 - Relationships between the security risk and safety risk management processes
Taken from TIR57 Principles for medical device security – Risk management

So, to finally address the question from the title – can CVSS be used for medical device software, or is its use limited to non-medical software only?

Let’s start by explaining what it is, and what it is used for.

CVSS, which stands for Common Vulnerability Scoring System, is an open industry standard for assessing the severity and the characteristics of computer system security vulnerabilities. It comprises three metric groups:

  • Base
  • Temporal
  • Environmental

According to First, CVSS is commonly used as the standard system in various organizations and industries because it provides scores that are consistent and accurate. It calculates the vulnerability severity in a system but also serves as a factor in prioritizing the activities for vulnerability remediation. Almost all known vulnerability scores can be found in the National Vulnerability Database (NVD).

When it comes to the use of CVSS, it is by no means limited to non-medical software, which means that the answer to the question from the title is yes, it can be used for medical device software too.

However, to go back to the beginning of this article, when dealing with security risk assessment, one needs to pay special attention to the aforementioned conflict between security and safety. Taking this into consideration means avoiding potentially catastrophic consequences. Moreover, this is the reason behind the fact that there are no clear references to industry standards in medical device software – there usually needs to be done more than simply pick one security standard and follow its requirements. There needs to be a balance between safety and security, and decisions need to be made to allow the two to coexist.

It is up to you to choose from the available alternatives for conducting security assessments and find the best solution for your company.

One of the sources of learning about this is the IEC TR 60601-4-5 Medical electrical equipment – Part 4-5: Guidance and interpretation – Safety-related technical security specifications. According to it,

To determine the required ESSENTIAL FUNCTION, a benefit-risk analysis (between safety and security) should be conducted to determine which functionality can be sacrificed, and which cannot.

Would you like to learn more about Medical Software Development?

Get instant access to our online Software for Medical Devices and IEC 62304 course right here. In 15-25 hours, you can learn how to be effective in medical device software development according to the IEC 62304 standard. The course is suitable for anyone working with software development, such as R&D engineers, quality assurance department and auditors of software development. The course does not cover actual coding.

Or if you’re looking for a tailored training to align with your company’s specific needs – contact us for inhouse training options. 

Introduction to software for medical devices and IEC 62304 feature image
Buy the online Software Development and IEC 62304 course now
Promoting in-house courses featured image
Contact us
to learn more
Christian Kaestner portrait

Christian Kaestner

Christian Kaestner is a consultant and entrepreneur with a wealth of knowledge about the medical device industry. He is an expert member of the project team authoring IEC62304 and also actively participated in the creation of IEC82304-1.

He has extensive experience of medical device development and, as a software developer, a strong dedication to software development. In the software domain he has worked in many roles such as software developer, project manager, auditing and quality management.

Receive FREE templates and quarterly updates on upcoming courses that can help you in your career! Subscribe to our newsletter now.

When you submit this form, you will be sending personal information to medicaldevicehq.com. To comply with GDPR requirements, we need your consent to store and use the personal data you submit. Take a look at our Privacy policy for more details.

MedicalDeviceHQ Menu logo

TAILORED TRAINING TO MEET YOUR COMPANY’S NEEDS​

GET A QUOTE
Categories
Table of contents

Get in touch to receive proposal for customised training

When you submit this form, your personal data will be processed in accordance with our privacy policy.

SCHEDULED MAINTENANCE

Important! Please be advised that there will be scheduled downtime across our platforms from 13:00 CET Apr 26th to no later than 16.00 CET Apr 28th. During this period you will not be able to access the website or your account. For more information, please contact us at support@medicaldevicehq.com