In the FDA’s Postmarket Management of Cybersecurity in Medical Devices final guidance issued on December 28, 2016, FDA provides an alternative to 21 CFR Part 806 reporting for corrections and removals made to address cybersecurity issues. In this guidance, a new pathway is outlined, which utilizes an ISAO, such as NH-ISAC, to collect reports on corrections and removals that are performed in the field to address cybersecurity issues.
The first flow chart below shows the flow beginning at the point the manufacturer has decided to fix the device in the field:
This second chart shows the MD-VIPER Vulnerability Reporting Process flow for both manufacturers and third party reporters:PROVISIONAL MD-VIPER Vulnerability Report Flow v12 (1)
Criteria for manufacturers to report through MD-VIPER
To be eligible to report specific vulnerabilities with uncontrolled risk via this new pathway, the following circumstances must be met:
- There are no known serious adverse events or deaths associated with the vulnerability;
- The manufacturer must communicate the vulnerability with its customers and user community as soon as possible but no later than 30 days after learning of it, identify the interim compensating controls, and develop a remediation plan to bring the residual risk to an acceptable level, and document the timeline rationale for the plan. Customer communications should minimally:
- Describe the vulnerability including an impact assessment based on the manufacturer’s current understanding.
- State that that manufacturer’s efforts are underway to address the risk of patient harm as expeditiously as possible,
- Describe compensating controls, if any, and
- State that the manufacturer is working to fix the vulnerability, or provide a defense-in-depth strategy to reduce the probability of exploit and/or severity of harm, and will communicate regarding the availability of a fix in the future.
- The manufacturer must fix the vulnerability no later than 60 days after learning of it, validate the change, and distribute the deployable fix to its customers and user community such that the residual risk is brought to an acceptable level. The manufacturer should follow-up with end users as needed beyond the initial 60 day period. In all instances, the vulnerability must not be associated with a known serious adverse event or death.
- The manufacturer must actively participate as a member of an ISAO that shares vulnerabilities and threats that impact medical devices, such as NH-ISAC’s MD-VIPER, ISAO for Medical Devices, and provides the ISAO with any customer communications upon notification of its customers.
Again, all of the items listed above must be met in order to utilize this reporting pathway. One of the goals of this alternate pathway is to provide a more expeditious pathway for addressing cybersecurity issues in the field. It also provides a way for information to be shared with industry stakeholders to help learn and respond to emerging threats.
The MD-VIPER website has been established to provide medical device manufacturers with the tools necessary to report cybersecurity vulnerabilities as defined in the Postmarket Management of Cybersecurity in Medical Devices final guidance issued by FDA. Such reporting is a critical element of the MD-VIPERs ability to analyze cybersecurity-related incidents and risks as well as to facilitate the identification and adoption of cybersecurity best practices, standards and guidelines.The website is for medical device cybersecurity vulnerability reporting by medical device manufacturers only. All other health delivery organizations and medical device user facilities must utilize the medical device manufacturer’s coordinated vulnerability disclosure process to report cybersecurity vulnerabilities.