Coordinated Vulnerability Disclosure and information sharingPROVISIONAL MD-VIPER Vulnerability Report Flow v10 - pg 2
FDA’s Postmarket Management of Cybersecurity in Medical Devices guidance recommends that the manufacturer acknowledge receipt of the initial vulnerability report to the vulnerability submitter (Reference section VII. Remediating and Reporting Cybersecurity Vulnerabilities, bottom of page 18):
In addition, manufacturers should:
Adopt a coordinated vulnerability disclosure policy and practice that includes acknowledging receipt of the initial vulnerability report to the vulnerability submitter 31, 32
Customer Alert Letter/Notification Process
- There are no known serious adverse events or deaths associated with the vulnerability;
- As soon as possible but no later than 30 days after learning of the vulnerability, the manufacturer communicates with its customers and user community regarding the vulnerability, identifies interim compensating controls, and develops a remediation plan to bring the residual risk to an acceptable level. Controls should not introduce more risk to the device’s safety and essential performance than the original vulnerability. The manufacturer must document 37 the timeline rationale for its remediation plan.38 The customer communication should, at minimum:
- Describe the vulnerability including an impact assessment based on the manufacturer’s current understanding,
- State that manufacturer’s efforts are underway to address the risk of patient harm as expeditiously as possible,
- Describe compensating controls, if any, and
- State that the manufacturer is working to fix the vulnerability, or provide a defense-in-depth strategy to reduce the probability of exploit and/or severity of harm, and will communicate regarding the availability of a fix in the future.
For PMA devices with periodic reporting requirements under 21 CFR 814.84, information concerning cybersecurity vulnerabilities, and device changes and compensating controls implemented in response to this information should be reported to FDA in a periodic (annual) report.
- A brief description of the vulnerability prompting the change including how the firm became aware of the vulnerability;
- A summary of the conclusions of the firm’s risk assessment including whether the risk of patient harm was controlled or uncontrolled;
- A description of the change(s) made, including a comparison to the previously approved version of the device;
- The rationale for making the change;
- Reference to other submissions/devices that were modified in response to this same vulnerability;
- Identification of event(s) related to the rationale/reason for the change (e.g., MDR number(s), recall number);
- Unique Device Identification (UDI)41 should be included, if available;
- A link to an ICS-CERT advisory or other government or ISAO alert (https://ics-cert.us-cert.gov/advisories), if applicable;
- All distributed customer notifications;
- The date and name of the ISAO to which the vulnerability was reported, if any; and
- Reference to other relevant submission (PMA Supplement42, 30-Day Notice, 806 report, etc.), if any, or the scientific and/or regulatory basis for concluding that the change did not require a submission/report.
Website Access Controls – Guests and registered usersMD-VIPER website (and vulnerability report) access flowchart v2
- Guest – provides full navigation to the website’s general content, with NO access to the Vulnerability Reports pages/functionality.
- Registered User – registered users must login to access all site pages and functions, including data input capability and manufacturer access to Vulnerability Reports that have been submitted by that manufacturer only (controlled by registration process mapping to company name and 7 digit FDA registration number, contact names and emails within the manufacturer’s organization. A process to revoke access when a registered user is no longer participating in the MD-VIPER is being drafted, and will be executed as soon as the process has been finalized.