MD-VIPER FAQ

What is MD-VIPER?

MD-VIPER is a program to allow manufacturers and other medical device cybersecurity stakeholders to disclose vulnerabilities in a responsible manner.

What does MD-VIPER do?

The MD-VIPER program gathers and analyzes critical medical device vulnerability information in order to better understand medical device cybersecurity problems and interdependencies, communicate or disclose critical medical device cybersecurity information to help prevent, detect, mitigate, or recover from the effects of medical device cyber threats, or voluntarily disseminate critical medical device cybersecurity information to its participants or others involved in the detection and response to medical device cybersecurity issues.

Who can participate in MD-VIPER?

Participation is open to vetted manufacturers and other stakeholders in medical device security.

Do I have to pay any fees?

Participation in the MD-VIPER program is free.

What do I need to do to participate in MD-VIPER?

In order to participate in MD-VIPER, registration is required via the MD-VIPER website. Once vetted by the MD-VIPER team, participants need to sign an Non-Disclosure Agreement (NDA).

What does participation in MD-VIPER entail?

Participants can submit vulnerability disclosure forms and participate on a Listserver where TLP WHITE and GREEN information is shared around threats and general situational awareness around medical device security.

What is TLP WHITE and TLP GREEN information?

THe Traffic Light Protocol (TLP) is an originator-controlled method for classifying how information can be disseminated.

How long has the MD-VIPER program existed?

The MD-VIPER program was launched in December 2016 in response to the issuance of FDA’s Postmarket Management of Cybersecurity in Medical Devices final guidance, which promotes collaboration and information sharing amongst the medical device manufacturer and health IT communities to develop a shared understanding of the risks posed by cybersecurity vulnerabilities to the safety, effectiveness, integrity, or security of medical devices and the health IT infrastructure.

Why is belonging to the MD-VIPER program important?

The FDA considers voluntary participation in an ISAO a critical component of a medical device manufacturer’s comprehensive proactive approach to postmarket management of cybersecurity threats and vulnerabilities and a significant step towards assuring the ongoing safety and effectiveness of marketed medical devices. The MD-VIPER program is part of the Medical Device ISAO, a joint partnership between NH-ISAC and MDISS.

What role do NH-ISAC and MDISS play in MD-VIPER?

NH-ISAC and MDISS serve as co-chairs of the Medical Device Security Information Sharing Council (MDSISC) under the NH-ISAC, which serves as the Medical Device Security ISAO. Members of the MDSISC include manufacturers and providers who are members of the NH-ISAC and MDISS. These members are eligible to participate in MD-VIPER and will also share information at TLP AMBER. It will be the responsibility of the members of the MDSISC to share relevant alerts and other information at the TLP GREEN and WHITE levels with participants in MD-VIPER as is possible. NH-ISAC and MDISS are administrators of the MD-VIPER program and will work with medical device manufacturers to ensure vulnerabilities are addressed and disclosed responsibly to appropriate stakeholders.