Related Standards and Reporting Systems

TIR57 Principles for medical device security—Risk management – See more at: http://www.aami.org/productspublications/ProductDetail.aspx?ItemNumber=3729#sthash.e4b2pxsO.dpuf

ISO Standard

  • Standard (in FDA guidance)
  • ISO 14971:2007 specifies a process for a manufacturer to identify the hazards associated with medical devices, including in vitro diagnostic (IVD) medical devices, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls.
  • The requirements of ISO 14971:2007 are applicable to all stages of the life-cycle of a medical device. ISO/IEC 30111:2013 gives guidelines for how to process and resolve potential vulnerability information in a product or online service.
  • ISO/IEC 30111:2013 is applicable to vendors involved in handling vulnerabilities.

NIST Vulnerability Database – https://nvd.nist.gov/workshop.cfm

  • The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.

NTIA Vulnerability Disclosure Findings, Recommendations and Best Practices