What is the Common Vulnerability Scoring System (CVSS)?

The Common Vulnerability Scoring System (CVSS) is a tool that rates the severity of security weaknesses in computer systems to help organizations prioritize and manage cybersecurity threats effectively.

What is the common vulnerability scoring system? 

The CVSS was created by the Forum of Incident Response and Security Teams (FIRST), an international consortium responsible for promoting cooperation among computer security incident response teams. NIST guidance provides that, “It is the most widely adopted industry standard for characterizing the properties of information technology vulnerabilities and measuring their severity, and it is based on human expert opinion.”

The system acts as a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The score itself can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

How it's applied 

To use the CVSS, individuals or organizations access a set of criteria that describe the severity of vulnerabilities. This set includes metrics related to how the vulnerability can be exploited, what is required to exploit it, the impacts on confidentiality, integrity, and availability, and other contextual information about the affected system. Users fill out these metrics based on the vulnerability details, and the system calculates a score.

The practical, simplified application includes: 

• Identifying the vulnerability: Organizations first identify the specific security vulnerability that needs evaluation. It could be a software flaw, a system misconfiguration, or any other security gap that poses a risk.
• Accessing the CVSS metrics: They access a platform that offers the CVSS metrics, such as the National Vulnerability Database (NVD). The platform provides a standardized form that guides them through the scoring process.
• Filling out the metrics: Organizations complete the form by assessing various aspects of the vulnerability. It includes determining how it can be exploited, what is needed to exploit it, and what parts of the system are affected (like confidentiality, integrity, or availability).
• Calculating the score: Once the form is filled out, the CVSS calculator automatically computes a numerical score. The score is based on the severity of the vulnerability and its potential impact.
• Interpreting the score: They translate the numerical score into a qualitative measure (low, medium, high, or critical).
• Prioritizing actions: Using the qualitative assessment, organizations prioritize which vulnerabilities need immediate action, which can be scheduled for later, and which are low priority.
  
  

The application in healthcare

The CVSS (version 3), provides three three metrics namely: base, temporal, and environmental. The base metrics focus on the intrinsic qualities of a vulnerability, providing a foundational severity score from 0 to 10. Temporal metrics allow healthcare organizations to update these scores as circumstances change—like when new fixes are implemented or when exploit techniques evolve. Environmental metrics add another layer of specificity by considering the unique aspects of the healthcare provider's operational environment, such as the potential impact on patient care and data privacy. 

An example of the application of the system is discussed in a study published in the International Journal of Critical Infrastructure Protection, “The Food and Drug Administration currently recommends that the Common Vulnerability Scoring System be used to categorize vulnerabilities in medical devices.” The CVSS calculator offers healthcare providers a clear, numerical score and a qualitative severity rating. These ratings help prioritize which vulnerabilities to address first in targeted sectors ranging from gaps in HIPAA compliant email systems to medical device vulnerabilities. As a result, healthcare organizations can allocate their cybersecurity resources more efficiently.  

See also: Top 12 HIPAA compliant email services

FAQs

What is the NIST? 

The National Institute of Standards and Technology (NIST) is a U.S. federal agency that develops standards, including cybersecurity standards.

Why are medical devices so often targeted?

Medical devices are often targeted because they contain valuable patient data and typically have weaker security protections.

What is the role of the FDA in cybersecurity?

The role of the FDA in cybersecurity involves regulating and providing guidelines for ensuring that medical devices are secure from cyber threats.