Benefits of Vulnerability Reporting by Manufacturers

In their Postmarket Management of Cybersecurity in Medical Devices final guidance issued in December 2016, FDA notes the importance of promoting collaboration among the medical device and Health IT communities toward the development of a shared understanding of the risks posed by vulnerabilities to networked medical devices and to take appropriate action to mitigate the risks through appropriate mitigation and remediation actions, preventing impacts to the safety, effectiveness, integrity or security of medical devices and the health IT infrastructure.

Specifically, the benefits to manufacturers include:

  • provides an option for reporting vulnerabilities outside of the recall process (CFR 806), which requires more formal and voluminous information to be provided to FDA;
  • uses a common mechanism for reporting that meets the FDA’s final guidance in compliance with their reporting criteria;
  • there is no need for any formal communication with the FDA for the vulnerability discovered (although the manufacturer might want to communicate informally simply to make them aware of the situation);
  • the only reporting on the vulnerability and action taken would be in the annual reporting for Class III devices;
  • provides an effective mechanism/system of trust for sharing useful threat data to customers to inform risk decisions and mitigation actions in a way the customers prefer;
  • sharing vulnerability information and remediation will provide valuable information to other manufacturers that they can then use to evaluate their own products for the vulnerability (all active participants of the MD-VIPER will benefit in this way);
  • cybersecurity for medical devices in general will improve as more information of this kind is shared and used for improvements;
  • in the future, this collection of information may prove useful in research and new innovations in medical device cybersecurity program approaches and techniques.