MD-VIPER is a program to allow manufacturers and other medical device cybersecurity stakeholders to disclose vulnerabilities in a responsible manner.
The MD-VIPER program gathers and analyzes critical medical device vulnerability information in order to better understand medical device cybersecurity problems and interdependencies, communicate or disclose critical medical device cybersecurity information to help prevent, detect, mitigate, or recover from the effects of medical device cyber threats, or voluntarily disseminate critical medical device cybersecurity information to its participants or others involved in the detection and response to medical device cybersecurity issues.
Participation is open to vetted manufacturers and other stakeholders in medical device security.
Participation in the MD-VIPER program is free.
In order to participate in MD-VIPER, registration is required via the MD-VIPER website. Once vetted by the MD-VIPER team, participants need to sign an Non-Disclosure Agreement (NDA).
Participants can submit vulnerability disclosure forms and participate on a Listserver where TLP WHITE and GREEN information is shared around threats and general situational awareness around medical device security.
THe Traffic Light Protocol (TLP) is an originator-controlled method for classifying how information can be disseminated.
The MD-VIPER program was launched in December 2016 in response to the issuance of FDA’s Postmarket Management of Cybersecurity in Medical Devices final guidance, which promotes collaboration and information sharing amongst the medical device manufacturer and health IT communities to develop a shared understanding of the risks posed by cybersecurity vulnerabilities to the safety, effectiveness, integrity, or security of medical devices and the health IT infrastructure.
The FDA considers voluntary participation in an ISAO a critical component of a medical device manufacturer’s comprehensive proactive approach to postmarket management of cybersecurity threats and vulnerabilities and a significant step towards assuring the ongoing safety and effectiveness of marketed medical devices. The MD-VIPER program is part of the Medical Device ISAO, a joint partnership between NH-ISAC and MDISS.
NH-ISAC and MDISS serve as co-chairs of the Medical Device Security Information Sharing Council (MDSISC) under the NH-ISAC, which serves as the Medical Device Security ISAO. Members of the MDSISC include manufacturers and providers who are members of the NH-ISAC and MDISS. These members are eligible to participate in MD-VIPER and will also share information at TLP AMBER. It will be the responsibility of the members of the MDSISC to share relevant alerts and other information at the TLP GREEN and WHITE levels with participants in MD-VIPER as is possible. NH-ISAC and MDISS are administrators of the MD-VIPER program and will work with medical device manufacturers to ensure vulnerabilities are addressed and disclosed responsibly to appropriate stakeholders.