A Cyber Risk Scoring System for Medical Devices

Ian W. Stine


The increased connectivity of medical devices has expedited patient treatment and provides lifesaving capabilities, but a lack of emphasis on device security has led to cybersecurity breaches for many healthcare organizations. Most medical professionals do not have a background in information technology or cybersecurity, yet they are responsible for assessing which treatment provides the best balance of risk and probability for success. This paper presents a two-part risk assessment framework that uses a doctors worst case assessment of a devices potential to impact a patient and a security questionnaire based on the STRIDE model to generate a risk score on a scale from 0 to 10. Four test cases based on relevant medical devices are used to demonstrate the practical application of the framework.