Medical device researchers are encouraged to comply with the medical device vulnerability disclosure recommendations of the FDA and the ISO/IEC standard for vulnerability disclosure
Kennedy Space Center, Fla., and New York, September 20, 2016 – NH-ISAC, National Health Information Sharing and Analysis Center, and MDISS, Medical Device Innovation, Safety and Security Consortium, two leading organizations addressing the global public health challenge of medical device cybersecurity and cyber safety, encourage all medical device researchers to comply with the medical device vulnerability disclosure recommendations of the FDA and the ISO/IEC standard for vulnerability disclosure.
Safe, effective, and secure medical devices are critical to advancing our nation’s public health. To optimize patient safety while considering a security vulnerability, it is critical that medical device researchers collaborate with manufacturers, the FDA, and ICS-CERT. This collaboration expedites a detailed assessment of a medical device based on sound engineering best practices and enables appropriate risk mitigation.
Dr. Dale Nordenberg, Executive Director of MDISS, notes that “when identifying security vulnerabilities that may pose a risk to patients, it is critical that medical device researchers provide detailed engineering methods to support a timely collaborative peer review process by manufacturers, ICS-CERT, and the FDA of any potential medical device vulnerability.”
Identification of potential medical device cybersecurity vulnerabilities, especially those that may impact patient safety, should be disclosed consistent with the FDA guidance, Postmarket Management of Cybersecurity in Medical Devices (January 2016), and, specifically, per the FDA recognized ISO/IEC 29147:2014 standard noted in this FDA guidance.
As the standard states: “Inappropriate disclosure of a vulnerability could not only delay the deployment of the vulnerability resolution but also give attackers hints to exploit it. That is why vulnerability disclosure should be carried out appropriately.” ….and that ….”Vulnerability disclosure is a process through which vendors and vulnerability finders may work cooperatively in finding solutions that reduce the risks associated with a vulnerability.”
The ISO/IEC standard states that “the goals of vulnerability disclosure include the following:
a) ensuring that identified vulnerabilities are addressed;
b) minimizing the risk from vulnerabilities;
c) providing users with sufficient information to evaluate risks from vulnerabilities to their systems;
d) setting expectations to promote positive communication and coordination among involved parties.”
Denise Anderson, President, NH-ISAC emphasizes “While medical device researchers should follow the applicable manufacturer published vulnerability disclosure process; we encourage any medical device researcher to reach out to NH-ISAC for assistance in connecting to manufacturers, as needed, to promote prompt response and patient safety.”
NH-ISAC and MDISS continue to convene medical device manufacturers, health systems, and other key stakeholders to develop cyber information sharing activities including those that support the FDA postmarket guidance. These activities are open to all stakeholders including medical device researchers.
NH-ISAC and MDISS will be convening two workshops in Minnesota this month: (1) this year’s fourth medical device cybersecurity workshop at the end of September; hosted by Mayo Clinic and (2) a one-day medical device vulnerability information sharing workshop to support the FDA post market draft guidance; hosted by St. Jude Medical.
ABOUT NH-ISAC – The National Health Information Sharing and Analysis Center (NH-ISAC), the official healthcare information sharing and analysis center, offers non-profit and for-profit healthcare stakeholders, such as: independent hospitals, IDN “providers”, health insurance “payers”, pharmaceutical/biotech manufacturers, laboratory, diagnostic, medical device manufacturers, medical school and medical R&D organizations, a community and forum for sharing cyber and physical threat indicators, best practices and mitigation strategies. NH-ISAC is a non-profit corporation funded and owned by its members. Membership is open to any healthcare stakeholder seeking protection of valuable PHI (personal health information) and compliance with Federal HIPAA regulations and standards, driving the assurance of patient health and life safety and fostering continuity of operations. Joining the NH-ISAC is one of the best ways health and public health services firms can do their part to protect the industry and its vital role in critical infrastructure. To learn more about the NH-ISAC or to become a member, please visit www.nhisac.org.
ABOUT MDISS – The Medical Device Innovation, Safety and Security Consortium (MDISS) founded in 2011, is a non-profit public health initiative and patient safety organization focused on medical device cybersecurity, along with practical technology, operations and policy solutions for improved safety of connected medical devices. MDISS was the first organization dedicated to these important medical device cyber health challenges and, in 2015, began to expand internationally. MDISS members bring deep expertise to inform an understanding of technical vulnerabilities; however, MDISS programs also support the development of epidemiologic methods, regulatory science and a public-private partnership model for public health interventions. To learn more about the NH-ISAC or to become a member, please visit www.mdiss.org.