A part of working in medical device software is security risk assessment. Another one is safety risk assessment. These two require great attention, and should not be done separately, as they are often related to one another.
There is a dilemma when it comes to this. Sometimes, security risk assessment requires certain actions that make sense on their own but prove to be counterproductive when we include safety in the equation. For example, protecting software with a password to prevent a security breach is a logical step until the software is needed in an emergency, to save a human life. In a situation where seconds decide the course of action, typing the password might mean losing a life.
The challenge when working with medical devices is a, sometimes inevitable, conflict between safety and security. This occurs because security features might prevent proper treatment and cause safety issues, and vice versa. In these cases, it might be needed to “sacrifice” security for the sake of safety. Therefore, great importance lies in the interaction between security and safety.
Taken from TIR57 Principles for medical device security – Risk management
So, to finally address the question from the title – can CVSS be used for medical device software, or is its use limited to non-medical software only?
Let’s start by explaining what it is, and what it is used for.
CVSS, which stands for Common Vulnerability Scoring System, is an open industry standard for assessing the severity and the characteristics of computer system security vulnerabilities. It comprises three metric groups:
According to First, CVSS is commonly used as the standard system in various organizations and industries because it provides scores that are consistent and accurate. It calculates the vulnerability severity in a system but also serves as a factor in prioritizing the activities for vulnerability remediation. Almost all known vulnerability scores can be found in the National Vulnerability Database (NVD).
When it comes to the use of CVSS, it is by no means limited to non-medical software, which means that the answer to the question from the title is yes, it can be used for medical device software too.
However, to go back to the beginning of this article, when dealing with security risk assessment, one needs to pay special attention to the aforementioned conflict between security and safety. Taking this into consideration means avoiding potentially catastrophic consequences. Moreover, this is the reason behind the fact that there are no clear references to industry standards in medical device software – there usually needs to be done more than simply pick one security standard and follow its requirements. There needs to be a balance between safety and security, and decisions need to be made to allow the two to coexist.
It is up to you to choose from the available alternatives for conducting security assessments and find the best solution for your company.
One of the sources of learning about this is the IEC TR 60601-4-5 Medical electrical equipment – Part 4-5: Guidance and interpretation – Safety-related technical security specifications. According to it,
To determine the required ESSENTIAL FUNCTION, a benefit-risk analysis (between safety and security) should be conducted to determine which functionality can be sacrificed, and which cannot.
Would you like to learn more about Medical Software Development?
Christian Kaestner is a consultant and entrepreneur with a wealth of knowledge about the medical device industry. He is an expert member of the project team authoring IEC62304 and also actively participated in the creation of IEC82304-1.
He has extensive experience of medical device development and, as a software developer, a strong dedication to software development. In the software domain he has worked in many roles such as software developer, project manager, auditing and quality management.