Vulnerability Scoring - Suitable Rubrics

Vulnerability Scoring - Suitable Rubrics

January 9, 2020 | Posted by Chris Gates

Welcome to the final installment in our series on scoring vulnerabilities in medical device designs. In this post, we’ll look at two rubrics that are suitable for design evaluations, and conclude with brief thoughts about the work that is still needed before the medical device industry can cohere around a single vulnerability scoring standard.


This rubric (Common Vulnerability Scoring System) is an example of a rubric that is simple to perform yet returns a final composite score based on appropriately weighted attributes. This rubric requires a quantity of 7 attributes to be assigned to each vulnerability before a base metric can be computed. “Severity” is supported in the form of “Collateral Damage,” which allows for flexibility in supporting impacts to “patient safety and efficacy” and well as “business risks.” Detailed CVSS v2 information can be found here.

Billy Rios & DHS’s RSS-MD

This rubric is a medical device variant of CVSS. It is a good rubric to utilize for design-phase vulnerabilities with one minor exception – it has an attribute called “Scope of Impact,” which would not be relevant at the time of a medical device’s design. This unneeded attribute can be easily set to “All” for each of the discovered vulnerabilities, which produces a minimal impact on the final calculated score.

Because of its close relationship with CVSS, this rubric also shares some of its shortcomings, such as poorly defined “Attack Vector” settings.

This rubric also focuses exclusively on patient safety impacts and is unable to account for other types of negative impacts, such as financial and reputational (i.e., “Business risks”).

This patient focus also excludes the utilization of the medical device under attack as a pivot point into a network with a larger attack surface. This rubric requires a quantity of 11 attributes to be assigned to each vulnerability before a base metric can be computed.

However, even considering these limitations, this rubric should still be considered a viable candidate for scoring design time vulnerabilities. Detailed RSS-MD information can be found here.


Having reviewed the suitability of various vulnerability/threat scoring rubrics, we’ve selected two as usable for medical device design scoring.

It should be noted, however, that most of these rubrics were not developed specifically with application to medical devices, and none were designed to score design vulnerabilities during a secure development lifecycle. So, while it is possible to utilize CVSS v2 and RSS-MD for medical device design vulnerability scoring by slightly broadening one’s interpretation of some of the scoring attributes, further standardization work needs to be performed before the medical device industry will have a formalized rubric well-suited for this purpose. This work includes: developing a rubric specifically for evaluating medical device designs; flexibility and proper weighting to account for vulnerabilities typical of embedded devices, such as portable and home use devices, rather than trying to stretch MIS/IT approaches to fit; and robust “Severity” metrics that account both for risks to patient (safety and efficacy) as well as potential threats to the medical device manufacturer’s business model (reputation and profitability).

To learn more about how Velentium assists medical device manufacturers with their cybersecurity needs, including:

  • Training;
  • Conducting vulnerability assessments on device designs;
  • Recommending and implementing mitigation solutions;
  • Assisting with premarket submissions to the FDA and other regulatory bodies worldwide; or
  • Postmarket monitoring and support services,

Give us a shout! Chris and his team would be glad to help.


Get Started On Your Next Project