Health-ISAC Medical Device Security Blog in TechNation
Written by Phil Englert, Health-ISAC VP of Medical Device Security
In the health care industry, ensuring the safety and efficacy of medical devices is paramount. Too often, cybersecurity focuses on vulnerabilities and, while important, vulnerability analysis is too narrow. Vulnerabilities are evaluated using the Common Vulnerability Scoring System (CVSS), which attempts to determine how dangerous a vulnerability is. This is useful information but considers the vulnerability risk within the component it resides in rather than the product. This limited view fails to consider the risks the vulnerability poses to a specific environment. Contextual factors such as asset importance, how the asset is used, or the controls in place, either within the product or within the network must also be considered when evaluating risk. Given these limitations, conducting a Medical Device Risk Impact Analysis (MDRIA) is a critical process that helps health care providers identify, assess and mitigate risks associated with medical devices. This essay outlines the essential components of an MDRIA.
