We work with you to customize a vulnerability (CVE) triaging model for each of your devices that aligns with your device’s components and essential clinical functions. Get the Medcrypt advantage with a scalable, repeatable model to ensure the trustworthiness of your scoring methodology.Contact us >
Our custom vulnerability triaging method provides scalability and repeatability while eliminating human error. You benefit from your engineers working on critical development efforts, enabling you to get to market faster.See case study >
Our vulnerability (CVE) triaging methodology has proven to be easier to use than traditional error-prone scoring methods, while reducing reliance on human experts, and increasing efficiency.
Relying on human experts, no matter how good they are, is not scalable or repeatable. This gives you a biased understanding of your overall risk level, which in turn impacts your risk mitigation strategies.
Make strategic changes to your current risk mitigation strategies to maximize return on investment and reduce unexpected delays.
Ensure you understand the impact of recent regulatory changes included in the “PATCH Act”, as well as the likelihood that the FDA will flag your submissions for connected devices due to cybersecurity deficits.
You want your engineers working on your company’s future, not feeling disengaged and bored manually rescoring vulnerabilities for months on end, which increases the risk of engineer attrition.
Get the benefit of a scalable, repeatable vulnerability scoring method to analyze and mitigate risk, ensuring patient safety and paving the way to FDA cybersecurity approval.
Make strategic changes to your risk mitigation strategies to maximize ROI & reduce unexpected delays. Our vulnerability scoring model reduced patient risk, and maintained or improved business outcomes, timelines, and scope.
Don’t just take our word for it. Our MDM client saved months of manual analysis using our vulnerability triaging model. This allowed for more time spent on the patch design and development efforts, which shifted patch decision-making earlier in the project schedule, thereby reducing impact on the critical systems engineering path and the amount of time devices in the field were left vulnerable.
Problem: Lack of scalability and repeatability in rescoring CVEs
This MDM had thousands of vulnerabilities (CVEs) that had to be rescored from their previous Common Vulnerability Scoring System (CVSS) scores. They had to rely on their R&D engineers manually rescore thousands of Common Vulnerability Scoring System (CVSS) scores to determine risk and patching needs. This required hundreds of hours of manual analysis, was very costly, and kept engineers from working on other projects and deliverables. It also increased the risk of employee attrition, as this was repetitive work that could not easily be automated, resulting in an ineffective, inefficient, and error-prone approach.
Client’s original approach: Inefficient, manual rescoring
Although they had performed a current-state assessment of their legacy device, and identified risks and risk mitigation strategies, they knew that they had gaps in their cybersecurity architecture. They decided that they couldn’t afford to continue to ignore these potential vulnerabilities.
Because their method was based on individual human judgment, it was not scientifically sound and repeatable, thus they also ran the risk of the FDA deciding that their risk mitigation strategies were not sufficient, which would further impact their bottom line.
Medcrypt’s CVE Triage model automated the scoring process, reducing months of painful, manual analysis time to just minutes -- with at least 90% accuracy! This automated model freed up R&D engineers to work on more strategic initiatives that would continue to propel the company forward.
Our client realized a drastic reduction in manual R&D labor and risk of attrition. Our model further reduced overall analysis time, allowing for more patch design and development effort. This also shifted patch decision-making earlier in the project schedule, reducing impact on the critical systems engineering path, as well as reducing the amount of time that devices in the field were left unpatched and vulnerable.
Vulnerability (CVE) triaging model:
We developed a vulnerability (CVE) triaging model for each of their devices, which was specific to each device’s components and essential clinical functions. Our model also enabled consistent application of policy and quality system requirements tailored to each device. We leveraged human expert judgment against the model’s judgment to iteratively improve the automation until they reached parity.