May 24, 2017


  • The recent WannaCry ransomware attack on health systems has illustrated the need for more comprehensive cybersecurity risk management tools for medical devices.
  • One tool under development, ISOSCELES, would provide a platform whereby device’s core functions would be more separate from their more vulnerable networking capabilities.
  • Another tool, CVSS, may prove useful as a scoring system for medical device manufacturers and users to determine which cybersecurity risks are more critical than others.

The US Food and Drug Administration’s latest workshop on medical device cybersecurity issues, held May 18 and 19, 2017, firmly established myriad challenges in mitigating this risk, and that no easy or quick fixes are yet available to help manufacturers and other stakeholders address these challenges.

That said, some speakers at the workshop discussed near- and longer-term projects underway that could go beyond current patchwork efforts and provide more robust and comprehensive cybersecurity safeguards. With the recent WannaCry randsomware attack on health systems in multiple countries still fresh on workshop attendees’ minds, the need for such projects was acute and demonstrable.

The ISOSCELES platform for medical devices

One such project, ISOSCELES (Intrinsically Secure, Open, and Safe Control of Essential Layers), is being developed by Minneapolis, Minn.-based Adventium Labs under an initiative by the US Department of Homeland Security to boost cybersecurity for critical technologies and systems.

Todd Carpenter, Chief Engineer at Adventium Labs, spoke at the workshop about ISOSCELES; the project aims to launch a medical device platform that meets all relevant FDA regulatory and security requirements, and that manufacturers can incorporate into their individual proprietary designs.

Carpenter explained that a key aspect of ISOSCELES will be to provide a layer of separation between a medical device’s medical-related core function and its components for networking with other devices and systems.

CVSS: More accurate device vulnerability scoring

Another potential avenue to better address medical device cybersecurity was presented by Penny Chase, Information Technology and Cyber Security Integrator, and Steve Christey Coley, Principal Information Security Engineer at MITRE Corporation.

Chase and Christey Coley discussed efforts to utilize the Common Vulnerability Scoring System, or CVSS, a framework developed by the Forum of Incident Response and Security Teams (FIRST) to identify severity of software risks. Using CVSS, medical device manufacturers and healthcare providers may be able to prioritize cybersecurity risks and vulnerabilities they face and determine which vulnerabilities most critically require mitigation efforts, according to the MITRE officials.

The key benefit CVSS would bring to the medical device sector, argued Chase and Christey Coley, will be the ability for healthcare providers and practitioners to rank and act upon device security issues according to the level of risk each issue poses to users and patients; this more nuanced approach should help reduce the impact of cybersecurity risks without affecting devices’ treatment capabilities.

Perpetual catch-up?

Work on both ISOSCELES and CVSS for medical devices and systems is ongoing; however, despite the perpetual moving target that is cybersecurity risk mitigation, the more comprehensive scope these projects are taking should provide more effective means for manufacturers, healthcare providers, regulators and patients to combat this ever-evolving problem.

Related services and information from Emergo:


  • Stewart Eisenhart