Frequently Asked Questions (FAQ)

Select from the topics below to see the frequently asked questions (FAQs) within the topic area. Other considerations, inquiries, and suggestions for revisions or additions can be submitted using the Contact Us Link provided. These FAQs will be updated as needed.

TOPIC: MD-VIPER PROGRAM

What is MD-VIPER?

MD-VIPER is a program to allow manufacturers and other medical device cybersecurity stakeholders to disclose vulnerabilities in a responsible manner.

What does MD-VIPER do?

The MD-VIPER program gathers and analyzes critical medical device vulnerability information in order to better understand medical device cybersecurity problems and interdependencies, communicate or disclose critical medical device cybersecurity information to help prevent, detect, mitigate, or recover from the effects of medical device cyber threats, or voluntarily disseminate critical medical device cybersecurity information to its participants or others involved in the detection and response to medical device cybersecurity issues.

Who can participate in MD-VIPER?

Participation is open to vetted manufacturers and other stakeholders in medical device security.

Do I have to pay any fees?

Participation in the MD-VIPER program is free.

What do I need to do to participate in MD-VIPER?

In order to participate in MD-VIPER, registration is required via the MD-VIPER website. Once vetted by the MD-VIPER team, participants need to sign an Non-Disclosure Agreement (NDA).

What does participation in MD-VIPER entail?

Participants can submit vulnerability disclosure forms and participate on a Listserver where TLP WHITE and GREEN information is shared around threats and general situational awareness around medical device security.

What is TLP WHITE and TLP GREEN information?

THe Traffic Light Protocol (TLP) is an originator-controlled method for classifying how information can be disseminated.

How long has the MD-VIPER program existed?

The MD-VIPER program was launched in December 2016 in response to the issuance of FDA’s Postmarket Management of Cybersecurity in Medical Devices final guidance, which promotes collaboration and information sharing amongst the medical device manufacturer and health IT communities to develop a shared understanding of the risks posed by cybersecurity vulnerabilities to the safety, effectiveness, integrity, or security of medical devices and the health IT infrastructure.

Why is belonging to the MD-VIPER program important?

The FDA considers voluntary participation in an ISAO a critical component of a medical device manufacturer’s comprehensive proactive approach to postmarket management of cybersecurity threats and vulnerabilities and a significant step towards assuring the ongoing safety and effectiveness of marketed medical devices. The MD-VIPER program is part of the Medical Device ISAO, a joint partnership between NH-ISAC and MDISS.

What role do NH-ISAC and MDISS play in MD-VIPER?

NH-ISAC and MDISS serve as co-chairs of the Medical Device Security Information Sharing Council (MDSISC) under the NH-ISAC, which serves as the Medical Device Security ISAO. Members of the MDSISC include manufacturers and providers who are members of the NH-ISAC and MDISS. These members are eligible to participate in MD-VIPER and will also share information at TLP AMBER. It will be the responsibility of the members of the MDSISC to share relevant alerts and other information at the TLP GREEN and WHITE levels with participants in MD-VIPER as is possible. NH-ISAC and MDISS are administrators of the MD-VIPER program and will work with medical device manufacturers to ensure vulnerabilities are addressed and disclosed responsibly to appropriate stakeholders.


TOPIC: VULNERABILITY REPORTING

What is the MD-VIPER Vulnerability Reporting System?

The MD-VIPER Vulnerability Reporting System is a mechanism to provide the medical device user community and national healthcare and public health critical infrastructure owners and operators and the organizations supporting the health sector with relevant information on recommended device and compensating controls and residual cybersecurity risks so that they can take appropriate steps to mitigate the risk and make informed decisions regarding device use.

What information do I report?

Only those vulnerabilities that fall within the scope of ISAO reporting as defined in the FDA Postmarket Management of Cybersecurity in Medical Devices final guidance. The MD-VIPER Vulnerability Reporting Form collects information on the vulnerability identified, including manufacturer’s impact assessment; identifies the efforts that are underway to address the risk of patient harm; describes the compensating controls; and provides a defense-in-depth strategy for reducing the probability of exploit and/or severity of harm.

Where in the process does the manufacturer first communicate a vulnerability?

Communication should be done once an assessment is made about the vulnerability (is it exploitable, what is the risk level, etc.).

Does a vulnerability get reported before there is a solution/fix identified?

Yes. The reporting process is intended to provide medical device users with information on recommended device and compensating controls and residual cybersecurity risks to that they can take appropriate steps to mitigate risk and make informed decisions regarding device use. If the manufacturer is working to fix the vulnerability, that information should be communicated to customers and the user community along with information regarding the availability of a fix in the future.

If a manufacturer is made aware of a third party vendor product vulnerability, what is the process for communicating and sharing that information?

Manufacturers should follow the MD-VIPER Vulnerability Reporting process and submit vulnerabilities using the MD-VIPER Vulnerability Reporting Form: https://mdviper.org/cybersecurity-vulnerabilities-reporting-process/md-viper-form/

What does not get reported through MD-VIPER Vulnerability Reporting process?

Routine patches that fall under the category of enhancements; vulnerability that has been discovered but is not exploitable or the risk of exploitability is so low that patching is not considered necessary; or an exploited vulnerability that has resulted in serious patient harm or death.


TOPIC: DATA PROTECTION/SHARING

How is the data collected and shared with the MD-VIPER participants/medical device user community?

Vulnerability reporting data is collected consistent with the NH-ISAC technical infrastructure and shared per NH-ISAC data sharing protocols.


TOPIC: MEDICAL DEVICE CYBERSECURITY

What are the FDA’s concerns about medical device cybersecurity?

A growing number of medical devices are designed to be networked to facilitate patient care and incorporate software that is vulnerable to the same cybersecurity threats as other networked computer systems (e.g., unauthorized access, denial of service, malicious code/malware, scans and probes). The exploitation of these vulnerabilities may represent a risk to health that requires manufacturers to proactively address cybersecurity risks to protect against such exploits. FDA encourages manufacturers to address cybersecurity throughout the product lifecycle, including the design, development, production, distribution, deployment and ongoing maintenance of the device. FDA further encourages the sharing of cyber risk information and intelligence within the medical device community to enhance management of individual cybersecurity vulnerabilities and provide advanced cyber threat information to relevant stakeholders to manage and enhance cybersecurity in the medical device community and the Healthcare and Public Health Critical Infrastructure (HPH) Sector.

What are the key things manufacturers and health care facilities should do to mitigate and manage medical device cybersecurity threats?

FDA recommends that medical device manufacturers and health care facilities take steps to ensure adequate security controls are in place and functioning as expected, which is validated through regular device/system monitoring and testing. Manufacturers should consider cybersecurity during the design phases of the medical device lifecycle and promote “good cyber hygiene” through routine device cyber maintenance, assessing postmarket information, employing a risk-based approach to identifying and assessing vulnerabilities, and timely implementation of required actions to mitigate emerging risks and reduce patient harm. Manufacturers are responsible for identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance. Hospitals and health care facilities should implement routine monitoring of their network and systems security and protect their hospital systems through a defense-in-depth strategy.

What is the impact of a cyber attack on a medical device?

The impacts of cyber attacks range from those that seek financial or intellectual property gains, damage to an institution’s or an individual’s reputation, or to make a political statement to those network-connected medical devices that carry the threat of bodily harm to patients, if those security breaches impact the safety and effectiveness of the devices. This vulnerability continually increases as medical devices become more connected to hospitals, insurance providers, and to other medical devices. (Ref: MED DEVICE ONLINE, Guest Column: "The Impact of Cybersecurity Vulnerabilities on Mobile Medical App Development," December 4, 2015, Sonali P. Gunawardhana.)