FDA Cybersecurity risk assessment


Hi! I'm new to medical device cybersecurity. I'm having trouble trying to comply with the FDA's cybersecurity requirements. Can someone help me with these problems?

1) FDA cybersecurity guidance section 2. mentions that "security risk assessment processes focus on exploitability or the ability to exploit vulnerabilities present whitin a device and/system"; and "the methods used for transferring security risks into the safety risk assessment process should also be provided as part of the premarket submission".

2) Standard AAMI TIR 57 section 4.4 renferences to standard NIST SP800-30, and ANSI/AAMI SW96:2023 section B.7 mentions that CVSS and NIST SP800-30 are most security risk management approaches.

3) Standard IEC 81001-5-1 section 7.3 mentions that "a) estimate the risk of the vulnerabilites above. Risk estimation is done cosidering the adervse impact of that vulnerability ro cybersecurity. This estimation can be surported by using vulnerability scoring, such as CVSS "

I have the following questions about these:
1. Can both CVSS and NSIT SP800-30 be used for cybersecurity risk assessment? If CVSS can be used, as it is a way to assess severity, why can it be used for cybersecurity risk assessments that focus on exploitability?

2. If using CVSS for assessment, do we need to give a CVSS score to each cybersecuirty risk? Or we just need to give CVSS scores to vulnerabilitie? Is the following evaluation table ok?
Risk IDVulnerabilityThreatCybersecurity ImpactCVSS score preCybersecurity Risk Control MeasuresCVSS score postRisk arising from mitigation actionSAFETY RISK? *

3. How to establish a cybersecurity risk criteria? For the CVSS approach, do we need to select a certain CVSS score as the risk criteria?For example, CVSS score below 7, as it corresponds to moderate severity?

4.How can security risks be transferred to the security risk assessment process, and what methods can be used? When assessing safety risk transferred from the security risk process, can we determine the probability as 1 and considering harm of lose of data integrity/confidence/availability?


Trusted Information Resource
Forgive me if I don't work through your questions in the precise order you presented them, or address them with the level of specificity you asked for.

Some of what will provide the most value will depend on the nature of the medical device. My preference is to start with the CIA model(*1), and basically treat all the risks with "probability of hazardous situation occurring" as 1.0... as you write in (#4) I'd treat them like every other hazardous situation in a Software Hazard Analysis.

I would use CVSS in two different ways:
  1. To identify what the tool recognizes as areas of risk
  2. To help prioritize the identified areas of risk (in a relative way)
I would avoid trying to use CVSS as a measuring stick for absolute risk assessments (#3) . Treat each item as something requiring a risk control and an individual assessment of risk. This should drive the sort of critical thinking that should make the device safer. As a practical matter: CVSS scores can change over time. I personally don't have much faith that a product development team will be regularly (say... at each periodic risk review) explicitly revisiting CVSS analysis.

I have absolutely no sense of how hard FDA reviewers are currently looking at cybersecurity. My guess is that they are looking for anything, possibly in a "check-the-box" mode. Reviewers may have some specific guidance/training but I have no reason to believe this.

If *I* was reviewing a bunch of submission packets (for medical devices containing software), I would approach them applying some elements of triage (specifically for cybersecurity):
  • Where is the device on the "open<->closed" spectrum?
  • What are the interfaces of the system?
  • Are any of the CIA elements appearing in the risk files?
  • Did the software development process address cybersecurity at all?
I would expect to be able to find the answers to those questions from a submission in under an hour... and then circle back to a more complete assessment later. If the submission doesn't include information that allows me to know those answers quickly... I would expect reviewers to send back some questions.

(*1) The CIA model doesn't have to be used, but it is a common framework and AFAIK all negative outcomes can be sorted into areas of Confidentiality, Integrity or Availability.
Top Bottom