Cybersecurity risk assessment is a systematic process of identifying, analyzing, and evaluating potential threats and vulnerabilities that could compromise the confidentiality, integrity, or availability of an organization’s information assets.
Several topics related to cybersecurity have already been discussed within 4EasyReg, including asset management, vulnerability management and ISO 27001. In this article, we will dig into the cybersecurity risk assessment, with a particular focus on the techniques typically used for the assessment of security risks.
Regulatory Framework for Cybersecurity Risk Management
Several standards, guidelines, and regulations provide frameworks for performing cybersecurity risk assessments. Some of the most prominent ones include:
NIST Cybersecurity Framework (CSF): Developed by the National Institute of Standards and Technology (NIST), the CSF provides a voluntary framework for organizations to manage and reduce cybersecurity risks. It outlines five core functions: Identify, Protect, Detect, Respond, and Recover, which can be tailored to an organization’s specific needs.
ISO/IEC 27001: This international standard provides requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It includes a risk management process that encompasses risk assessment and treatment based on the organization’s information security objectives and risk tolerance.
NIST Special Publication 800-30: This NIST publication provides guidance on conducting risk assessments for federal information systems. It outlines a systematic approach to risk management, including risk framing, risk assessment, risk response, and risk monitoring.
ISACA’s Risk IT Framework: Developed by ISACA, this framework provides guidance on aligning IT risk management with enterprise risk management. It focuses on identifying, assessing, and managing IT-related risks to support business objectives.
PCI DSS (Payment Card Industry Data Security Standard): This standard applies to organizations that handle payment card data. It includes requirements for conducting risk assessments to identify threats and vulnerabilities that could affect the security of cardholder data.
GDPR (General Data Protection Regulation): While GDPR is primarily focused on data protection and privacy, it requires organizations to implement appropriate technical and organizational measures to ensure the security of personal data. This includes conducting risk assessments to identify and mitigate potential security risks.
HIPAA (Health Insurance Portability and Accountability Act): HIPAA regulations require covered entities and business associates to conduct risk assessments to identify potential risks to the confidentiality, integrity, and availability of protected health information (PHI).
Overview of Cybersecurity Risk Management
The process of cybersecurity risk management involves various components, namely framing risk, assessing risk, responding to risk, and monitoring risk. Framing risk, the initial step in risk management, involves establishing a context for risk by describing the environment in which risk-related decisions are made within organizations. This component aims to create a strategy for managing risks, outlining how risks will be assessed, responded to, and monitored, thereby making explicit the risk perceptions guiding investment and operational decisions.
Moving on to the assessment of risk, the second component focuses on identifying threats to organizations, both internal and external vulnerabilities, potential harm, and the likelihood of harm occurring. This assessment culminates in determining the level of risk, typically as a function of the degree of harm and the likelihood of harm occurring, within the organizational risk frame.
Once risks are determined, the third component of risk management comes into play: responding to risk. Here, organizations develop alternative courses of action, evaluate them, select appropriate responses consistent with organizational risk tolerance, and implement the chosen risk responses consistently across the organization.
Lastly, the fourth component involves monitoring risk over time. The purpose is to assess the ongoing effectiveness of risk responses, identify changes in organizational information systems and environments, and ensure that planned risk responses are implemented while meeting information security requirements derived from organizational missions, legislation, regulations, and guidelines.
FDA Requirements for Cybersecurity Risk Management
In the context of cybersecurity risk management, medical device manufacturers should establish a structured procedure for conducting a thorough risk assessment to determine whether a cybersecurity vulnerability affecting a medical device poses an acceptable or unacceptable risk.
The cybersecurity risk management process shall focus on the patient risks and it shall be focused on evaluating the risk of patient harm by considering:
- The susceptibility of the cybersecurity vulnerability to exploitation, and
- The potential severity of patient harm if the vulnerability were to be exploited.
Exploitability Assessment
Medical Device manufacturers need to establish procedures to evaluate the susceptibility of a cybersecurity vulnerability to exploitation. Often, estimating the likelihood of a cybersecurity exploit proves challenging due to factors like the intricacy of exploitation methods, the availability of exploits, and exploit toolkits. When data on the likelihood of harm occurrence is lacking, conventional risk management approaches in the medical device field recommend employing a “reasonable worst-case estimate” or setting the probability’s default value to one. While these methods are valid, the FDA proposes that manufacturers explore the use of a cybersecurity vulnerability assessment tool or a similar scoring system to assess vulnerabilities and determine the necessity and urgency of the response.
These tools are able to provide an assessment of the exploitability providing an explotability scoring of each single elements that may contribute to the exploitability, such as:
- Attack Vector (e.g., physical, local, adjacent, network)
- Attack Complexity (e.g., high, low)
- Privileges Required (e.g., none, low, high)
- User Interaction (e.g., none, required)
- Scope (e.g., changed, unchanged)
- Confidentiality Impact (e.g., high, low, none)
- Integrity Impact (e.g., none, low, high)
- Availability Impact (e.g., high, low, none)
- Exploit Code Maturity (e.g., high, functional, proof-of-concept, unproven)
- Remediation Level (e.g., unavailable, work-around, temporary fix, official fix, not defined)
- Report Confidence (e.g., confirmed, reasonable, unknown, not defined)
Assessment of Patient Harm
Manufacturers should additionally establish a procedure for evaluating the potential severity of patient harm in the event of a cybersecurity vulnerability being exploited. Although there are numerous acceptable methods for conducting such an analysis, one viable approach could involve utilizing qualitative severity levels, as outlined within ISO 14971.
An example of methodology for assessment of severity of the harm is reported below:
Subscribe to 4EasyReg Newsletter
4EasyReg is an online platform dedicated to Quality & Regulatory matters within the medical device industry. Have a look to all the services that we provide: we are very transparent in the pricing associated to these consulting services.
Within our WebShop, a wide range of procedures, templates, checklists are available, all of them focused on regulatory topics for medical device compliance to applicable regulations. Within the webshop, a dedicated section related to cybersecurity and compliance to ISO 27001 for medical device organizations is also present.
As one of the leading online platforms in the medical device sector, 4EasyReg offers extensive support for regulatory compliance. Our services cover a wide range of topics, from EU MDR & IVDR to ISO 13485, encompassing risk management, biocompatibility, usability, software verification and validation, and assistance in preparing technical documentation for MDR compliance.
Do not hesitate to subscribe to our Newsletter!
