Quantifying medical device cybersecurity risk with CVSS BTE

The Common Vulnerability Scoring System (CVSS) is the de facto standard for assessing the severity of cybersecurity vulnerabilities. Yet, in practice, it is often misused. Most stakeholders rely solely on the so called CVSS "Base Score", a measure of technical severity, ignoring the contextual metrics introduced in the 4.0 version: "Threat" and "Environmental". This narrow use results in poor prioritization, especially in safety-critical domains like healthcare. In this study, we perform the first large-scale application of CVSS 4.0's full Base, Threat, Environmental (BTE) scoring to a comprehensive dataset of medical device vulnerabilities. We show that the Threat group can be partially automated using structured data sources, while meaningful environmental profiles (e.g., home vs hospital care) allow semi-automatic compilation of the Environmental metrics. Our results confirm that BTE scoring significantly changes vulnerability prioritization, yielding a representation of risk that is both more accurate and more actionable, especially when safety is involved.