Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    Goat Feed · Methodology

    The Blue Goat Cyber Risk Score (BGC-RS)

    A MedTech-specific 0-10 rubric that combines CVSS 4.0 technical impact, patient-safety potential, exploit maturity, and device exposure. Published in the open so security teams, regulators, and reviewers can replicate every score.

    Why a MedTech score

    A CVSS score alone is not a useful triage signal for a medical-device team. A CVSS 9.8 on a back-office library and a CVSS 7.2 on an infusion pump are not equivalent risks, but a generic scoring system treats them that way.

    BGC-RS is our attempt to publish a defensible MedTech score in the open. Every number on the Goat Feed is computed by the formula below, against data we display on the same page, so reviewers and customers can replicate or challenge any classification.

    The formula

    BGC-RS = (CVSS × 0.40) + (Patient-safety × 0.35) + (Exploit-maturity × 0.15) + (MedTech-exposure × 0.10). All four components score 0-10 independently; the final score is rounded to one decimal.

    CVSS technical
    40%

    CVSS 4.0 base score when published, falling back to CVSS 3.1 then 3.0. Aligned with FDA's February 3, 2026 premarket cybersecurity guidance preference for CVSS 4.0 reporting. Missing CVSS scores get a neutral 4/10 so that an item without an NVD entry is never inadvertently rated 0.

    Patient safety
    35%

    Inferred from device-class signals in the headline, dek, tags, and vendor record. Tiers: life-threatening (implantables, ventilators, infusion pumps, pacemakers, anesthesia, ECMO), injury (imaging, robotic surgery, dialysis, radiotherapy, CGM/glucose), delay-of-care (EHR/EMR, HL7/FHIR, PACS, pharmacy/medication workflow), or none.

    Exploit maturity
    15%

    KEV-listed > weaponized > public PoC > none. KEV items receive the full 10 - inclusion in CISA's KEV catalog is direct evidence of in-the-wild exploitation with a federal remediation deadline.

    MedTech exposure
    10%

    Baseline of 4 (item is in the MedTech feed at all), +3 for network-reachable signals (remote, network, cloud, Bluetooth, Wi-Fi, TLS, SSH, VPN), +2 when a device class is identified, +1 when a vendor slug is resolved.

    Tiers

    The numeric score maps to a triage tier displayed alongside the headline on every feed item.

    • Critical8.5 - 10Same-day triage. Confirmed exploitation or life-threatening clinical potential.
    • High7.0 - 8.4Patch within current sprint. Strong technical impact or clinical-injury potential.
    • Notable4.0 - 6.9Fold into next compliance cycle. Defensible to defer with documented rationale.
    • Info0 - 3.9Background. Track for trend analysis.

    Worked examples

    KEV - Implantable cardiac monitor with critical CVSS

    • CVSS 4.0 = 9.4
    • Patient safety = life-threatening (cardiac monitor)
    • Exploit = KEV
    • Exposure = 9/10 (network-reachable, vendor known)

    9.4 × 0.40 + 10 × 0.35 + 10 × 0.15 + 9 × 0.10 = 3.76 + 3.50 + 1.50 + 0.90 = 9.7

    9.7 - Critical

    NVD CVE - HL7 integration library, no PoC

    • CVSS 3.1 = 7.5
    • Patient safety = delay-of-care (HL7/FHIR)
    • Exploit = none
    • Exposure = 7/10 (network signals)

    7.5 × 0.40 + 5 × 0.35 + 2 × 0.15 + 7 × 0.10 = 3.00 + 1.75 + 0.30 + 0.70 = 5.8

    5.8 - Notable

    Linux kernel CVE on a backend server (KEV-listed)

    • CVSS 3.1 = 7.8
    • Patient safety = none (kernel infra, no device-class match)
    • Exploit = KEV
    • Exposure = 7/10

    7.8 × 0.40 + 2 × 0.35 + 10 × 0.15 + 7 × 0.10 = 3.12 + 0.70 + 1.50 + 0.70 = 6.0

    6.0 - Notable

    Scope and limits

    • BGC-RS is computed for KEV and CVE items only. FDA letters, recalls, and MAUDE events keep their existing severity (critical/notable/info) classification.
    • Patient-safety tier is inferred from device-class signals in the source text. We will add an admin override and per-vendor product-line maps in a future revision.
    • CVSS 4.0 is preferred when published. NVD coverage of 4.0 is still uneven, so most current items fall back to CVSS 3.1.
    • The score is a triage aid, not a substitute for your own SBOM-driven impact analysis or a Section 524B postmarket vulnerability review.

    Changelog

    • v1.0 - Initial publication. Four-component rubric, KEV/CVE only, auto-inferred patient safety.

    See the full Goat Feed methodology for source lists, ingestion cadence, and editorial controls.

    Need help triaging your SBOM?

    Blue Goat Cyber runs postmarket vulnerability management for medical-device teams.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.