CyberMed
ServicesSoftware DHFCyberSprintEventsResourcesGuideAboutContactBook a CallGet The Guide
← All guide chapters

Chapter 3: Security by Design · Section 3.7

Security Risk Assessment

3.7.1 From Threats to Risks

While threat modeling identifies what could go wrong, risk assessment determines:

  • How likely is it to happen?
  • What's the impact if it does?
  • Is the risk acceptable?
  • What controls are needed?

3.7.2 Risk Assessment Components

According to AAMI TIR57, security risk has three components:

Risk = f(Threats, Vulnerabilities, Impacts)

Where:

  • Threats: Who might attack and why
  • Vulnerabilities: Weaknesses they could exploit
  • Impacts: Harm that could result

3.7.3 Using CVSS for Medical Devices

The Common Vulnerability Scoring System (CVSS) provides standardized vulnerability scoring. The MITRE CVSS Rubric for Medical Devices adapts this for healthcare:

Base Metrics:

  • Attack Vector (Network, Adjacent, Local, Physical)
  • Attack Complexity (Low, High)
  • Privileges Required (None, Low, High)
  • User Interaction (None, Required)

Impact Metrics:

  • Confidentiality Impact
  • Integrity Impact
  • Availability Impact

Temporal Metrics:

  • Exploit Code Maturity
  • Remediation Level
  • Report Confidence

Environmental Metrics (Medical Device Specific):

  • Collateral Damage Potential
  • Target Distribution
  • Safety Impact

3.7.4 Integrating with Safety Risk Management

Security risks often become safety risks. Per ISO 14971 and ANSI/AAMI SW96:

Security → Safety Transfer:

  1. Identify security risks that could cause harm
  2. Transfer to safety risk management process
  3. Apply ISO 14971 risk controls
  4. Verify effectiveness

Example Transfers:

  • Authentication bypass → Unauthorized therapy changes → Patient harm
  • DOS attack → Device unavailable → Delayed treatment
  • Data tampering → Wrong diagnosis → Incorrect treatment

3.7.5 Risk Evaluation and Treatment

For each identified risk:

Evaluate Severity:

  • Patient impact (death, injury, discomfort)
  • Number affected (single, multiple)
  • Data impact (privacy, integrity)

Assess Likelihood:

  • Attack difficulty
  • Attacker motivation
  • Vulnerability exposure
  • Existing controls

Determine Treatment:

  • Eliminate (remove feature)
  • Reduce (add controls)
  • Transfer (insurance, warnings)
  • Accept (document rationale)

See how your device measures up

Take the free FDA 524B readiness assessment and get a personalized gap report covering this topic and more.

Check Your Readiness