Robert Sayle: CVSS Scores Can Help Short-Circuit Risk Determination Process

Note: A version of this post appeared as the Final Word article in the January/February 2020 issue of BI&T.

Assessing a security vulnerability’s risk to a healthcare delivery organization’s (HDO’s) systems could be a lot easier.

When a medical device manufacturer, for example, publishes a vulnerability, think about what it takes to determine if the problem represents a grave risk to patient safety and needs immediate attention versus something that can wait for normal maintenance cycles. Imagine if there was a simple way to communicate the healthcare implications of a vulnerability. Luckily, there is (well, almost).

In 2004, the National Infrastructure Advisory Council (NIAC) launched the Common Vulnerability Scoring System (CVSS), an open framework for evaluating and communicating the severity of security flaws. For any given vulnerability, a CVSS score ranges from 1 to 10. The higher the score, the worse the vulnerability. NIAC contracted to manage the CVSS process, which has since been adopted by the National Institute of Standards and Technology. CVSS scores are publicly available in the National Vulnerability Database (NVD), which includes a very-easy-to-use search utility.

CVSS scores center around three primary metric groups:

  1. Base: Qualities of a vulnerability that are constant over time and across user environments.
  2. Temporal: Characteristics of a vulnerability that change over time.
  3. Environmental: Characteristics of a vulnerability that are unique to a user’s environment.

Each primary metric contains submetrics for stricter inspection. For example, the Environmental metric includes assessment of confidentiality, integrity, and availability—three metrics that are vital to determining whether a flaw affects protected health information (PHI) or an HDO’s operation.

Although most device manufacturers have embraced CVSS, the problem is that it’s not specific to the language of healthcare. For example, confidentiality could mean quite a few things, but for an HDO, wouldn’t you want to know if it means an attack on PHI? The Food and Drug Administration recognized the same shortcomings with CVSS and hired the MITRE Corporation to help close the gap.

This past September, MITRE published a Rubric for Applying CVSS to Medical Devices, which is a great step in the right direction. The rubric represents a workflow that healthcare equipment and software manufacturers can use to score the vulnerabilities they need to report. For each base and submetric, the rubric provides healthcare-related questions that make it easy to determine what values should be assigned. It includes textual workflows and flow charts, as well as lists healthcare-specific examples for guidance. It is currently in draft form and open for commenting, so please feel free to send ideas to the working group that MITRE assembled at

The wonderful thing about CVSS is that it’s extensible. Imagine how much easier it would be to evaluate the impact of a vulnerability on your organization if a set of healthcare metrics existed. Suppose there was a “Healthcare” extension. Now envision what the submetrics of what Healthcare might be (e.g., Patient Safety, PHI, HDO Reputation).

These metrics don’t need to necessarily change the way CVSS scores a vulnerability. In fact, they don’t have to change the algorithm for assigning a score whatsoever. What they should do, though, is help HDOs short-circuit the process required to determine their risk.

Robert Sayle, CCIE security emeritus, is a technical solutions architect for Cisco Systems, Inc., in Irvine, CA, and a member of the BI&T Editorial Board. Email:; Twitter: @Bob_in_IT

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s