AMA #1: Security risk assessment and vulnerability monitoring
Launching a new Ask-Me-Anything (AMA) on Risk Management series to answer reader-submitted questions.
Dear colleagues, hello! 👋
I am super excited to launch a new AMA series to invite questions from you about medical device risk management.
Click on this button to submit your question. If your question is really unique, I will grant you 30-day complimentary access to premium content on Let's Talk Risk!
Recently, I received the following question:
Which Cybersecurity risk score matrix would you advise using when performing the security risk assessment in accordance with AAMI TIR 57? It would be really appreciated if you could also suggest a source for the common security vulnerability list for SaMD.
Although the question refers to a risk score matrix for cybersecurity, we will address it at a higher level of general information security. The cybersecurity element specifically applies to security of information susceptible to attacks via the internet.
The short answer to this question is to follow the guidance for risk assessments from NIST1, especially the assessment scales for likelihood of occurrence (Appendix G), impact of threat events (Appendix H), and level of risk (Appendix I).
Another good resource to understand the application of security risk management principles to medical devices is a technical report by AAMI2, the Association for the Advancement of Medical Instrumentation. Annex E in this technical report provides a fully developed security risk evaluation for a fictional system to illustrate these principles. However it does not provide a qualitative or semi-quantitative scale for assessment of likelihood of occurrence, impact and risk level. It refers the reader to NIST 800-30 referenced above.
The second part of this question asks about source(s) for monitoring common security vulnerabilities for software based medical devices. The US FDA routinely publishes cybersecurity related safety communications and other alerts on their website3. Another resource for monitoring reported vulnerabilities is the known exploited vulnerabilities catalog maintained by the Cybersecurity and Infrastructure Security Agency (CISA)4. Sector-specific Information Sharing and Analysis Organizations (ISAO)5, such as Health-ISAC6 provide a variety of services including timely intelligence on threats, incidents and vulnerabilities as well as an opportunity to network with other organizations for sharing information and best practices.
According to FDA’s guidance document on post-market management of cybersecurity in medical devices7
A cybersecurity signal is any information which indicates the potential for, or confirmation of, a cybersecurity vulnerability or exploit that affects, or could affect a medical device. A cybersecurity signal could originate from traditional information sources such as internal investigations, postmarket surveillance, or complaints, and/or security-centric sources such as CERTS (Computer/Cyber, Emergency Response/Readiness Teams), such as ICS-CERT8, ISAOs9, threat indicators, and security researchers. Signals may be identified within the HPH Sector. They may also originate in another critical infrastructure sector (e.g., defense, financial) but have the potential to impact medical device cybersecurity.
Therefore, it is a good idea to carefully outline all relevant sources of information in your cybersecurity risk management plan. This is a fast moving space which makes it even more important to establish an effective post-market surveillance process.
I hope you find value in the AMA feature and consider submitting your own questions!
In a future article, we will dig deeper into the security risk assessment process using the assessment scales provided in NIST 800-30. Join Let’s Talk Risk! now to stay updated.
NIST 800-30, Revision 1: Guide for Conducting Risk Assessments, issued September 2012.
AAMI: AAMI TIR 57: 2016/(R) 2019: Principles for medical device security - Risk management.
FDA: Cybersecurity, webpage current as of 12/20/2023.
Health-ISAC: Health Information Sharing and Analysis Center.
FDA: Postmarket Management of Cybersecurity in Medical Devices, Issued December 28, 2016.
ICS-CERT: Industrial Control Systems Cyber Emergency Response Team.