Step 1: Asset Inventory
List all assets and/or security signals related to the medical device’s intended use and essential clinical performance in the device’s operating environment (Use Case) that require protection. These assets may vary based on the device’s user profile and/or operating environment profile (i.e., mode of operation or state). An asset may be tangible (e.g., a physical item such as hardware, firmware, computing platform, network device, or other technology component) or intangible (e.g., humans, data, information, software, capability, function, service, trademark, copyright, patent, intellectual property, image, or reputation). Together, these profiles are often considered the device’s Protection Profile. From these characteristics, the appropriate protections are engineered to provide the requisite system security performance and effectiveness and to control, to the extent reasonable and practical, asset loss and the associated consequences.
Step 2: Identify Threat Sources
Identify and evaluate all potential threat sources and their potential targets. These must be evaluated against the user and device profiles. Cyber threat sources refer to persons who attempt unauthorized access to a medical device, system, and/or network using a data communications pathway. This access can be directed from within a user facility by trusted users or from remote locations by unknown persons using the internet. If a threat source were to exploit a device vulnerability, then the threat could potentially adversely impact the essential clinical performance of the device.
Step 3: Identify Device Functions
Identify and evaluate all of the device functions that may be vulnerable to an attack. These must be evaluated against Essential Clinical Performance. Effective cybersecurity risk management is intended to reduce the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate security.
Step 4: Identify Vulnerabilities
Identify and characterize device vulnerabilities based upon an evaluation of Threat Sources and the Device Functions. Select the assets and/or signals that have a potential vulnerability and describe the vulnerability in detail. Vulnerabilities should be identified within the context of a device’s user profile and/or operating environment profile. The presence of a vulnerability does not necessarily trigger patient safety concerns. Rather, it is the impact of the vulnerability on the essential clinical performance of the device that may trigger patient safety concerns. Regardless of whether the vulnerability impacts essential clinical performance or not, all vulnerabilities should be characterized for future impact.
Step 5: Assess Vulnerabilities
Assess the likelihood of vulnerabilities being exploited and the vulnerability risk level using the industry standard Common Vulnerability Scoring System (CVSS). If the vulnerability is already scored by a third-party source or the manufacturer of the component, then complete the scoring using the vendor-provided CVSS v3.0 vector string. For those who are not familiar with this scoring system, you can get more information here: First.org.
An example of device vulnerability assessment is illustrated below.