The Risk Scoring System for Medical Devices (RSS-MD) provides a means to characterize identified vulnerabilities and numerically score the potential severity. The two main components include functional impact on delivery of patient therapy and vulnerability characterization. Please review the technical specification guide for insight into the composition of the scoring algorithm and how the RSS-MD supports risk management.
Select Ratings below to calculate Scoring. Definitions are listed below in Rating Descriptions.
| Functional Impact | Rating |
|---|---|
| Impact Category | |
| Scope of Impact | |
| Vulnerability Characterization | |
| Attack Vector | |
| Complexity | |
| Privileges Required | |
| User Interaction | |
| Duration | |
| Exploit Chain | |
| Confidentiality | |
| Integrity | |
| Availability | |
| Scoring | |
| Functional Impact Score | 0 |
| Vulnerability Score | 0 |
| Total Score | 0.0 |
Ratings can be updated below by clicking on a desired row. Any selections made below will update the Scoring and be reflected in the Results Table.
| Impact Category | This metric reflects the impact that an exploit of the identified vulnerability would have on delivery of patient therapy. |
|---|---|
| No Rating Selected (IC:NR) | The Impact Category is not included in the rating. Please select a rating to ensure completeness of the scoring. |
| Potential to impact supporting systems (IC:SS) | The targeted system supports patient care. Impact to the system does not have an immediate impact on delivery of patient therapy or diagnosis. |
| Potential to impact diagnosis (IC:D) | The targeted system supports medical diagnosis in support of patient care. Impact to the system may alters the physician's ability to adequately diagnose medical conditions. |
| Potential to impact patient therapy (IC:T) | The targeted system is important to delivery of patient care. Impact to the system may result in negative consequences to delivery of patient therapy. |
| Direct potential to cause patient safety event (IC:SE) | The targeted system is vital to delivery of patient care. Impact to the system may result in a patient safety event that could cause harm or death to the patient. |
| Scope of Impact | This metric reflects the number of assets effected by an instance of exploiting the vulnerability. |
| No Rating Selected (SI:NR) | The Scope of Impact is not included in the rating. Please select a rating to ensure completeness of the scoring. |
| Single (SI:S) | Triggering an exploit for the vulnerability affects a single susceptible system. |
| Multi (SI:M) | Triggering an exploit for the vulnerability affects multiple susceptible systems. |
| All (SI: A) | Triggering an exploit for the vulnerability affects all susceptible systems. |
| Attack Vector | This metric reflects the context by which vulnerability exploitation is possible. This metric value will be larger the more remote an attacker can be in order to exploit the vulnerable component. |
| No Rating Selected (AV:NR) | The Attack Vector is not included in the rating. Please select a rating to ensure completeness of the scoring. |
| Local (AV:L) | A vulnerability exploitable with direct access to the target system that may require the attacker to physically touch or manipulate the vulnerable component. |
| Adjacent (AV:A) | A vulnerability exploitable from an authorized system or a system that has authorized/direct access to the target system. |
| Remote (AV:R) | A vulnerability exploitable through an external access point. |
| Complexity | This metric describes the degree of difficulty associated with developing or implementing an exploit for the vulnerability. Factors to consider include amount of publicly available information, maturity of any exploit code, and vendor remediation level. |
| No Rating Selected (CX:NR) | The Complexity is not included in the rating. Please select a rating to ensure completeness of the scoring. |
| High (CX:H) | Limited information is available to the public and there is no known automated or demonstration of exploit code. |
| Medium (CX:M) | General information is available to the public. A proof of concept exploit is available or the effect has been demonstrated. |
| Low (CX:L) | Information is openly available to the public and working exploit code exists. |
| Privileges Required | This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This metric is greater if no privileges are required. |
| No Rating Selected (PR:NR) | The Privileges Required is not included in the rating. Please select a rating to ensure completeness of the scoring. |
| High (PR:H) | The attacker requires privileges that provide significant control over the vulnerable component. |
| Low (PR:L) | The attacker requires standard privileges that provide general authorization to the vulnerable component. |
| None PR:N | The attacker is unauthorized prior to attack, and therefore does not require any access to carry out an attack. |
| User Interaction | This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. This metric value is greater when no user interaction is required. |
| No Rating Selected (UI:NR) | The User Interaction is not included in the rating. Please select a rating to ensure completeness of the scoring. |
| Required (UI:R) | Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. |
| None (UI:N) | The vulnerable system can be exploited without interaction from any user. |
| Duration | This metric captures the ability of an exploit to remain effective against a targeted system. Exploitation of vulnerabilities that remain persistent are generally more concerning than temporal effects. |
| No Rating Selected (D:NR) | The Duration is not included in the rating. Please select a rating to ensure completeness of the scoring. |
| Volatile (D:V) | The attack has a one-time effect or minimal ability to remain persistent. |
| Persistent (D:P) | A single instantiation of an attack has a sustained ability to create an effect (e.g., installed malware that remains effective even after a power cycle). |
| Exploit Chain | This metric identifies if a complete exploit chain exists that permits an attacker to fully execute the attack. |
| No Rating Selected (EC:NR) | The Exploit Chain is not included in the rating. Please select a rating to ensure completeness of the scoring. |
| Controlled (EC:C) | Cybersecurity protection mechanisms are in place to prevent the realization of a full exploit chain against identified vulnerabilities. |
| Uncontrolled (EC:U) | Cybersecurity protection mechanisms are not available to prevent the full exploit chain against an identified vulnerability. |
| Confidentiality | This metric measures the system-level impact to the confidentiality due to a successfully exploited vulnerability. Confidentiality refers to limiting information/data access and disclosure to only authorized assets, as well as preventing access by, or disclosure to, unauthorized ones. |
| No Rating Selected (CF:NR) | The Confidentiality is not included in the rating. Please select a rating to ensure completeness of the scoring. |
| None (CF:N) | There is no loss of confidentiality within the impacted component. |
| Low (CF:L) | There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. |
| High (CF:H) | There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. |
| Integrity | This metric measures the system-level impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness of data and information. |
| No Rating Selected (I:NR) | The Integrity is not included in the rating. Please select a rating to ensure completeness of the scoring. |
| None (I:N) | There is no loss of integrity within the impacted component. |
| Low (I:L) | Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. |
| High (I:H) | There is a total loss of integrity. |
| Availability | This metric measures the system-level impact to the availability of the impacted component resulting from a successfully exploited vulnerability. |
| No Rating Selected (A:NR) | The Availability is not included in the rating. Please select a rating to ensure completeness of the scoring. |
| None (A:N) | There is no impact to availability within the impacted component. |
| Low (A:L) | There is reduced performance or interruptions in resource availability. |
| High (A:H) | There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component. |
Copyright 2024 © QED Secure Solutions. All rights reserved.