MDRS Calculator

Medical Device Risk Score — reference implementation with irreversibility-driven tier floor and CCD promoter

How to use this tool

What MDRS is

The Medical Device Risk Score (MDRS) is a triage instrument: given facts about a legacy medical device, it produces one of four tiers (CRITICAL / HIGH / MEDIUM / LOW) and a corresponding action timeline. Use it to prioritise remediation work across a fleet of devices.

MDRS is not: a vulnerability scanner, an asset inventory tool, a compliance attestation, or a substitute for a clinical-engineering risk file. It complements ISO 14971 and HIPAA risk analysis — it does not replace them.

Where MDRS fits in the assessment workflow

  1. Inventory: clinical engineering identifies the device (model, OS, network interfaces, clinical use).
  2. Threat model: author a STRIDE-HC threat model for the device. Template ↗
  3. Compensating controls: author a Control Justification Record (CJR) for each constraint. Template ↗
  4. Score with MDRS:you are here. Use the threat model and CJRs to assign the five dimensions.
  5. Triage and act: the tier dictates timeline, escalation path, and review cadence.
First time using this? Choose Guided assessment mode below — it asks plain-English questions and assigns the scores for you. Once you're familiar with the dimensions, switch to Direct entry for faster scoring.

1. Score a device

Answer each question by selecting the option that best describes the device. Your answers map onto the 1–10 scoring scale automatically.

Q1 — Clinical impact (CIS)

If this device fails or behaves incorrectly during clinical use, what is the worst plausible patient consequence?

Q2 — Exploitability (ES)

What is the easiest path by which an attacker could exploit a known weakness in this device?

Q3 — Device criticality (DCI)

If this device becomes unavailable, what is the operational impact on the clinical service?

Q4 — Network exposure (NEF)

How is this device exposed to potential attack surfaces (network and physical)?

Q5 — Compensating Control Deficit (CCD)

How comprehensive are the compensating controls currently in place for this device, across the six STRIDE-HC categories (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)?

A higher score means weaker coverage. CCD ≥ 8 promotes the resulting tier by one level — even mid-range composite scores escalate when controls are missing.

Set each dimension on a 1–10 scale. Click Show scoring guide for the full rubric per dimension.

9.0

9–10: life-sustaining (ventilators, infusion pumps, pacemaker programmers)

Show scoring guide
  • 9–10: Life-sustaining — ventilators, infusion pumps in active therapy, pacemaker programmers, dialysis machines. Failure or attack causes irreversible harm.
  • 7–8: Critical clinical monitoring — ICU monitors, surgical equipment, anaesthesia delivery. Failure causes significant harm requiring clinical intervention.
  • 5–6: Diagnostic imaging or laboratory — PACS, MRI, CT, X-ray, lab analysers. Failure delays or distorts diagnosis.
  • 3–4: Administrative — scheduling, billing, EHR-adjacent workstations. Failure disrupts operations but not patient care directly.
  • 1–2: Non-clinical — facilities, signage, BMS, kiosks. No direct patient impact.
7.5

7–8: network-accessible without public exploit

Show scoring guide
  • 9–10: Network-accessible with public exploit. Internet- or wide-network-reachable; CVE with proof-of-concept on Exploit-DB or Metasploit.
  • 7–8: Network-accessible without public exploit. CVE or known weakness, no published PoC.
  • 5–6: Adjacent-network or physical-proximity required. Same VLAN, Bluetooth, or service port within attended area.
  • 3–4: Authenticated local or service-port access required. Valid credential or vendor service tool.
  • 1–2: Privileged physical access only. Inside locked enclosure; no remote path.
8.0

7–8: redundancy with switchover >30 min

Show scoring guide
  • 9–10: Single point of failure in critical care. No backup; loss impairs critical function immediately.
  • 7–8: Redundancy exists but switchover > 30 min. Spare available but transition gap is operationally significant.
  • 5–6: Multiple redundant devices, switchover < 15 min. Quick recovery; minor operational impact.
  • 3–4: Manual workaround available. Paper, alternative device, or alternative procedure exists.
  • 1–2: Non-critical. Loss is tolerable; convenience or efficiency only.
8.0

7–8: internal network without VLAN isolation

Show scoring guide
  • 9–10: Internet-facing OR exposed unprotected service port in public space.
  • 7–8: Internal network, no VLAN isolation. Flat or weakly-segmented design.
  • 5–6: VLAN-isolated with permissive ACLs. Dedicated VLAN, broad access rules.
  • 3–4: VLAN-isolated with restrictive ACLs and physical-access controls.
  • 1–2: Air-gapped, attended-only physical access.
7.0

7–8: partial controls (1–2 STRIDE categories covered)

Show scoring guide
  • 9–10: No compensating controls in place. Device deployed as vendor-shipped.
  • 7–8: Partial controls — 1–2 STRIDE-HC categories covered.
  • 5–6: Controls in 3–4 STRIDE-HC categories.
  • 3–4: Comprehensive controls, not formally tested.
  • 1–2: Comprehensive controls, validated annually (pen-test or harness).

CCD promoter: CCD ≥ 8 promotes the resulting tier by one level. This addresses devices with weak controls that would otherwise not meet a high tier on the composite alone.

CRITICAL
Composite 8.175

Why this tier?

Scores assigned

DimensionScoreWeight
Clinical Impact (CIS)35%
Exploitability (ES)25%
Device Criticality (DCI)20%
Network Exposure (NEF)15%
Compensating Control Deficit (CCD)5% + promoter

Recommended response (per MDRS Table 6)

Immediate isolation or shutdown of non-life-critical devices; 24-hour escalation to CISO and CMO; emergency vendor engagement; activate incident response plan.

Action timeline: Immediate / 24 hours

What to do with this score

  1. Document. Attach the JSON export (above) to the device's risk record. This satisfies ISO 14971 cl.5–8 risk evaluation evidence and HIPAA §164.308(a)(1)(ii)(A) risk analysis evidence.
  2. Convene. Notify the appropriate owners. For CRITICAL: CISO + CMO + clinical engineering director within 24 hours.
  3. Plan. Within the action timeline (24 hours), produce or update Control Justification Records (CJRs) for any constraints that cannot be addressed by patching. CJR template ↗
  4. Validate. For HIGH and CRITICAL devices, validate compensating-control effectiveness either by penetration test or via the empirical test harness. Test harness ↗
  5. Review. Set the next review date in the device's risk file. Quarterly for CRITICAL; semi-annually for HIGH; annually for MEDIUM and LOW.

2. Worked example presets (paper Table 7)

Three reference profiles from the paper. Click any preset to load its values into the calculator above.

3. Sensitivity analysis: configurable weights

Default weights reflect the paper's expert-judgement assignment. Adjust here to evaluate sensitivity. The CCD weight may be set above its default 5%, but its operational role as a tier promoter (CCD ≥ 8) is preserved regardless of weight.

Tier floor and CCD promoter rules (not configurable)

4. Methodology

The composite

The Medical Device Risk Score composite is a weighted sum across five dimensions, each scored 1–10:

MDRS_comp = (CIS × 0.35) + (ES × 0.25) + (DCI × 0.20) + (NEF × 0.15) + (CCD × 0.05)

Tier mapping

TierComposite range (with floor and promoter applied)Action timeline
CRITICAL≥ 8.0, or promoted from HIGH via CCD ≥ 8Immediate / 24 hours
HIGH6.0 ≤ score < 8.0, or any device with CIS ≥ 930 days
MEDIUM3.5 ≤ score < 6.0, or any device with CIS = 7–890 days
LOW< 3.512 months

Verification

Test cases verifying the scoring logic, tier floor, CCD promoter, and equation arithmetic are provided in tests/test-cases.json. All three paper preset values (8.175, 4.750, 6.325) reproduce exactly. Run node tests/run-tests.js to verify.