CyberMed
ServicesSoftware DHFCyberSprintEventsResourcesGuideAboutContactBook a CallGet The Guide

Security Risk Assessment

Security by Design · 2 min read

Security risk assessment takes the threats you identified during threat modeling and answers whether each one is acceptable: how likely it is, how bad the impact would be, and what controls bring it within your acceptance criteria. For medical devices, AAMI TIR57 and ANSI/AAMI SW96 define the process.

3.7.1 From Threats to Risks

While threat modeling identifies what could go wrong, risk assessment determines:

  • How likely is it to happen?
  • What's the impact if it does?
  • Is the risk acceptable?
  • What controls are needed?

3.7.2 Risk Assessment Components

According to AAMI TIR57, security risk has three components:

Risk = f(Threats, Vulnerabilities, Impacts)

Where:

  • Threats: Who might attack and why
  • Vulnerabilities: Weaknesses they could exploit
  • Impacts: Harm that could result

3.7.3 Using CVSS for Medical Devices

The Common Vulnerability Scoring System (CVSS) provides standardized vulnerability scoring. It's maintained by FIRST, which released the current version, CVSS v4.0, in November 2023. The MITRE CVSS Rubric for Medical Devices adapts this for healthcare:

Base Metrics:

  • Attack Vector (Network, Adjacent, Local, Physical)
  • Attack Complexity (Low, High)
  • Privileges Required (None, Low, High)
  • User Interaction (None, Required)

Impact Metrics:

  • Confidentiality Impact
  • Integrity Impact
  • Availability Impact

Temporal Metrics:

  • Exploit Code Maturity
  • Remediation Level
  • Report Confidence

Environmental Metrics (Medical Device Specific):

  • Collateral Damage Potential
  • Target Distribution
  • Safety Impact

For a worked application of these metrics, see Medical device risk assessment using CVSS.

3.7.4 Integrating with Safety Risk Management

Security risks often become safety risks. Per ISO 14971 and ANSI/AAMI SW96: Relationship between security risk and safety risk assessment per ISO 14971 and AAMI SW96

Security → Safety Transfer:

  1. Identify security risks that could cause harm
  2. Transfer to safety risk management process
  3. Apply ISO 14971 risk controls
  4. Verify effectiveness

Example Transfers:

  • Authentication bypass → Unauthorized therapy changes → Patient harm
  • DOS attack → Device unavailable → Delayed treatment
  • Data tampering → Wrong diagnosis → Incorrect treatment

3.7.5 Risk Evaluation and Treatment

For each identified risk:

Evaluate Severity:

  • Patient impact (death, injury, discomfort)
  • Number affected (single, multiple)
  • Data impact (privacy, integrity)

Assess Likelihood:

  • Attack difficulty
  • Attacker motivation
  • Vulnerability exposure
  • Existing controls

Determine Treatment:

  • Eliminate (remove feature)
  • Reduce (add controls)
  • Transfer (insurance, warnings)
  • Accept (document rationale)

For the specific checks FDA reviewers run against a finished assessment, see 12 essential FDA cybersecurity risk assessment rules.

See how your device measures up

Take the free FDA 524B readiness assessment and get a personalized gap report covering this topic and more.

Check Your Readiness