MD-VIPER Operations

Coordinated Vulnerability Disclosure and information sharing

PROVISIONAL MD-VIPER Vulnerability Report Flow v10 - pg 2

FDA’s Postmarket Management of Cybersecurity in Medical Devices guidance recommends that the manufacturer acknowledge receipt of the initial vulnerability report to the vulnerability submitter (Reference section VII. Remediating and Reporting Cybersecurity Vulnerabilities, bottom of page 18):

http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022.pdf

In addition, manufacturers should:

Adopt a coordinated vulnerability disclosure policy and practice that includes acknowledging receipt of the initial vulnerability report to the vulnerability submitter 31, 32

(Footnotes 31 and 32 reference the ISO/IEC 29147:2014 IT  – Security Techniques – Vulnerability Disclosure, and ISO/IEC 30111:2013: IT – Security Techniques – Vulnerability Handling Process, respectively).

Customer Alert Letter/Notification Process

Customer Alert Letter/Notification process (Reference FDA Postmarket Guidance Section VII. B. 2):
Manufacturers must report these vulnerabilities to the FDA according to 21 CFR part 806, unless reported under 21 CFR parts 803 or 1004(Footnote 36 – reference to 21 CFR 806.10(f)). However, the FDA does not intend to enforce reporting requirements under 21 CFR part 806 for specific vulnerabilities with uncontrolled risk when the following circumstances are met:
  1. There are no known serious adverse events or deaths associated with the vulnerability;
  2. As soon as possible but no later than 30 days after learning of the vulnerability, the manufacturer communicates with its customers and user community regarding the vulnerability, identifies interim compensating controls, and develops a remediation plan to bring the residual risk to an acceptable level. Controls should not introduce more risk to the device’s safety and essential performance than the original vulnerability. The manufacturer must document 37 the timeline rationale for its remediation plan.38 The customer communication should, at minimum:
    • Describe the vulnerability including an impact assessment based on the manufacturer’s current understanding,
    • State that manufacturer’s efforts are underway to address the risk of patient harm as expeditiously as possible,
    • Describe compensating controls, if any, and
    • State that the manufacturer is working to fix the vulnerability, or provide a defense-in-depth strategy to reduce the probability of exploit and/or severity of harm, and will communicate regarding the availability of a fix in the future.

FDA Notification

(Reference Postmarket Guidance Section VIII. Recommended Content to Include in PMA Periodic Reports (page 25)).

For PMA devices with periodic reporting requirements under 21 CFR 814.84, information concerning cybersecurity vulnerabilities, and device changes and compensating controls implemented in response to this information should be reported to FDA in a periodic (annual) report.

 It is recommended that the following information be provided for changes and compensating controls implemented for the device:
  • A brief description of the vulnerability prompting the change including how the firm became aware of the vulnerability;
  • A summary of the conclusions of the firm’s risk assessment including whether the risk of patient harm was controlled or uncontrolled;
  • A description of the change(s) made, including a comparison to the previously approved version of the device;
  • The rationale for making the change;
  • Reference to other submissions/devices that were modified in response to this same vulnerability;
  • Identification of event(s) related to the rationale/reason for the change (e.g., MDR number(s), recall number);
  • Unique Device Identification (UDI)41 should be included, if available;
  • A link to an ICS-CERT advisory or other government or ISAO alert (https://ics-cert.us-cert.gov/advisories), if applicable;
  • All distributed customer notifications;
  • The date and name of the ISAO to which the vulnerability was reported, if any; and
  • Reference to other relevant submission (PMA Supplement42, 30-Day Notice, 806 report, etc.), if any, or the scientific and/or regulatory basis for concluding that the change did not require a submission/report.

Website Access Controls – Guests and registered users

MD-VIPER website (and vulnerability report) access flowchart v2

ACCESS CONTROLS:

Access controls are implemented to protect the confidentiality of the Vulnerability Reports submitted by manufacturers. There are two levels of access to the website:
  • Guest – provides full navigation to the website’s general content, with NO access to the Vulnerability Reports pages/functionality.
  • Registered User – registered users must login to access all site pages and functions, including data input capability and manufacturer access to Vulnerability Reports that have been submitted by that manufacturer only (controlled by registration process mapping to company name and 7 digit FDA registration number, contact names and emails within the manufacturer’s organization. A process to revoke access when a registered user is no longer participating in the MD-VIPER is being drafted, and will be executed as soon as the process has been finalized.