CyberMed
ServicesSoftware DHFCyberSprintEventsResourcesGuideAboutContactBook a CallGet The Guide

Vulnerability Assessment and Response

Post-Market Security Management · 2 min read

Assess every new vulnerability in four steps: triage whether it affects your device at all, analyze exploitability in your actual deployment, analyze the patient safety and security impact, then score the risk to set a response deadline. A CVSS 9+ finding gets a 24 to 48 hour response, while low scores can wait for the next release.

5.4.1 The Assessment Process

When a vulnerability is discovered, you need a systematic assessment process:

flowchart TD
    A[Vulnerability Discovered] --> B[Initial Triage]
    B --> C{Affects Our Device?}
    C -->|No| D[Document and Close]
    C -->|Yes| E[Detailed Assessment]
    E --> F[Exploitability Analysis]
    F --> G[Impact Analysis]
    G --> H[Risk Scoring]
    H --> I{Risk Level?}
    I -->|Critical| J[Emergency Response]
    I -->|High| K[Expedited Response]
    I -->|Medium| L[Standard Response]
    I -->|Low| M[Scheduled Response]

5.4.2 Exploitability Analysis

Not all vulnerabilities are equal. Assess exploitability by examining:

Attack Vector:

  • Network accessible?
  • Requires physical access?
  • Needs authentication?
  • User interaction required?

Attack Complexity:

  • Easy to exploit?
  • Requires special conditions?
  • Timing dependent?
  • Needs insider knowledge?

Required Privileges:

  • No authentication needed?
  • Basic user sufficient?
  • Admin rights required?
  • Physical access needed?

Example Assessment:

Factor Assessment Notes
Component OpenSSL 1.1.1k Network library
Vulnerability CVE-2021-3711 Buffer overflow
Attack Vector Network But device air-gapped
Complexity Low If network accessible
Privileges None Anonymous attack
Exploitable? No No network path exists

5.4.3 Impact Analysis

If exploitable, what's the impact?

Patient Safety Impact:

  • Could therapy be affected?
  • Might monitoring fail?
  • Could data be corrupted?
  • Would device availability suffer?

Security Impact:

  • Data confidentiality loss?
  • System integrity compromise?
  • Availability disruption?
  • Authentication bypass?

Business Impact:

  • Regulatory action risk?
  • Reputation damage?
  • Liability exposure?
  • Operational disruption?

5.4.4 Risk Scoring and Prioritization

Use the MITRE Medical Device CVSS Rubric:

Base Score Calculation:

  • Start with standard CVSS
  • Apply healthcare context
  • Consider safety impacts
  • Factor in mitigations

Temporal Factors:

  • Exploit code availability
  • Patch availability
  • Confidence level

Environmental Factors:

  • Your specific deployment
  • Existing controls
  • Patient population
  • Clinical context

Priority Matrix:

CVSS Score Safety Impact Response Time
9.0-10.0 Any 24-48 hours
7.0-8.9 High 7 days
7.0-8.9 Low 30 days
4.0-6.9 Any 60 days
0.0-3.9 Any Next release

For a deeper look at adapting CVSS scoring to medical devices, see Medical device risk assessment using CVSS.

See how your device measures up

Take the free FDA 524B readiness assessment and get a personalized gap report covering this topic and more.

Check Your Readiness