1
MD-VIPER Medical Device Vulnerability Sharing Stakeholders including manufacturers, healthcare delivery organizations (HDOs), independent security researchers, regulatory agencies, etc. Benefits – Sharing of reports on known vulnerabilities vetting and evaluation of vulnerabilities details of actions taken by others to mitigate vulnerabilities medical device cybersecurity education, best practices, mitigation strategies 2
MD-VIPER MD-VIPER Vulnerability Report for Manufacturers The MD-VIPER Vulnerability Report is designed to serve as an alternate reporting process to FDA’s requirements for 21 CFR Part 806 reporting if cybersecurity vulnerabilities are involved. Manufacturers are not held to 21 CFR Part 806 reporting requirements if the manufacturer is a active participant in an ISAO (such as NH-ISAC) the manufacturer is conducting a correction/removal to address a cybersecurity vulnerability the cybersecurity vulnerability in question has not led to any known serious injuries or deaths the manufacturer will meet the timeline criteria for communicating to its customers and then validating and distributing the deployable fix such that the residual risk is brought to an acceptable level 3
Medical Device Vulnerability Reporting Workflow PROVISIONAL: MD-VIPER Vulnerability Report Flow C o o r d ii n a t e d C o o r d n a t e d V u ll n e r a b ii ll ii t y V u n e r a b t y D D ii s s c c ll o o s s u u r r e e F D A F D A by Manufacturer II S S C C -- C C E E R R T T U S C - E R T U S - C E R T II S A O s / II S A C s S A O s / S A C s Start Manufacturer automatically receives e-mail Manufacturer automatically receives e-mail notice that submission has been accepted notice that submission has been accepted and included in database and included in database Manufacturer Manufacturer completes and completes and Mfg Manufacturer Manufacturer submits the submits the authorizes determines it has a determines it has a MD-VIPER MD-VIPER New New Coordinated MD-VIPER reportable MD-VIPER reportable Manufacturer Manufacturer MD-VIPER Report Repor Disclosure t Vulnerability Report Vulnerability Report vulnerability vulnerability Manufacturer Manufacturer A Manufacturer A (including any (including any Vulnerability Yes MD-VIPER MD-VIPER MD-VIPER Is submission Yes MD-VIPER “trusted “trusted amendments, amendments, Report validates validates Appropriate/ accepts accepts participant in the participant in the updates & updates & (submitted Data & submissions submission submission Complete? submission submission MD- VIPER” MD- VIPER” corrections) corrections) securely via Manufacturer has Manufacturer has (proprietary and and indicates if and indicates if web) additional or corrected patient dataredacted) additional orcorrected Existing Existing submission is to be submission is to be information regarding information regarding that are nototherwise Report Report treated as Protected treated as Protected a previously reported a previously reported coded as PCII in Critical Critical submission are vulnerability vulnerability No No Infrastructure Infrastructure viewable to Information (PCII) Information (PCII) stakeholders Manufacturer notified that Manufacturer notified that MD-VIPER MD-VIPER submitted report needs submitted report needs MD-VIPER requests requests clarification (given reasons clarification (given reasons MD-VIPER Vulnerability clarification clarification why) and asked toresubmit why) and asked toresubmit database Report submission submission 3 rd party 3 rd party withclarification withclarification updated Database and manufacturer and manufacturer (encrypted) automatically receive e-mail notice that submission has been provisionally accepted Analysis of Data by and included in database MD-VIPER Analysis Reports available 3 rd party completes and 3 rd party to interested parties submits the MD-VIPER (HDOs, security MD-VIPER 3 rd party 3 rd party rd 3 party researchers/consultants) 3 rd party (non- Vulnerability Report Vulnerability determines it has MD-VIPER Issubmission Yes MD-VIPER via MD-VIPER web (including any amendments, manufacturer) is Report aMD-VIPER validates Appropriate/ accepts registered updates &corrections) (submitted reportable submission Complete? submission and indicates if submission inMD-VIPER securely via vulnerability is to be treated asProtected web) Critical Infrastructure Information (PCII) No 3 rd party notified that MD-VIPER generated reports MD-VIPER generated reports MD-VIPER submitted report needs t h a t m e e t d a t a t h a t m e e t d a t a requests clarification (given reasons s h a r ii n g / d a t a s h a r n g / d a t a clarification why) and asked toresubmit c o n f i d e n t i a i l t y s t a n d a r d s c o n f i d e n t i a i l t y s t a n d a r d s submission withclarification a n d g u i d e l i n e s a n d g u i d e i l n e s 4
Medical Device Vulnerability Reporting Workflow by Non-manufacturer (researcher, healthcare delivery org, ICS-CERT, patient, etc.) C o o r d ii n a t e d C o o r d n a t e d V u ll n e r a b ii ll ii t y V u n e r a b t y D D ii s s c c ll o o s s u u r r e e F D A F D A II S S C C -- C C E E R R T T Start Manufacturer U S C - E R T U S - C E R T II S A O s / II S A C s S A O s / S A C s Start Manufacturer automatically receives e-mail notice that submission has been accepted and included in database Manufacturer completes and Mfg Manufacturer submits the authorizes determines it has a MD-VIPER New Coordinated MD-VIPER reportable Manufacturer MD-VIPER Report Disclosure Vulnerability Report vulnerability Manufacturer Manufacturer (including any Vulnerability Is submission Yes MD-VIPER MD-VIPER A “t rusted amendments, Report validates Appropriate/ accepts participant inthe updates & (submitted Data & submissions submission Complete? submission MD- VIPER” corrections) securely via Manufacturer has (proprietary and and indicates if web) additional orcorrected patient dataredacted) Existing submission is to be information regarding that are nototherwise Report treated as Protected a previously reported coded as PCII in Critical vulnerability submission are No Infrastructure viewable to Information (PCII) stakeholders Manufacturer notified that Manufacturer notified that MD-VIPER MD-VIPER submitted report needs submitted report needs MD-VIPER requests requests clarification (given reasons clarification (given reasons MD-VIPER Vulnerability clarification clarification why) and asked toresubmit why) and asked toresubmit database Report submission submission 3 rd party 3 rd party withclarification withclarification updated Database and manufacturer and manufacturer (encrypted) automatically receive e-mail automatically receive e-mail notice that submission has notice that submission has been provisionally accepted been provisionally accepted Analysis of Data by and included in database and included in database MD-VIPER Analysis Reports available 3 rd party completes and 3 rd party completes and 3 rd party 3 rd party to interested parties submits the submits the MD-VIPER MD-VIPER 3 rd party (HDOs, security MD-VIPER 3 rd party 3 rd party 3 rd party rd 3 party researchers/consultants) 3 rd party (non- 3 rd party (non- Vulnerability Report Vulnerability Report Vulnerability determines it has determines it has MD-VIPER MD-VIPER Issubmission Yes Yes MD-VIPER MD-VIPER via MD-VIPER web manufacturer) is (including any amendments, (including any amendments, manufacturer) is Report aMD-VIPER validates accepts aMD-VIPER validates Appropriate/ accepts registered registered updates &corrections) updates &corrections) (submitted reportable reportable submission submission Complete? submission submission inMD-VIPER and indicates if submission and indicates if submission inMD-VIPER securely via vulnerability vulnerability is to be treated asProtected is to be treated asProtected web) Critical Infrastructure Critical Infrastructure Information (PCII) Information (PCII) No No 3 rd party notified that 3 rd party notified that MD-VIPER generated reports MD-VIPER generated reports MD-VIPER MD-VIPER submitted report needs submitted report needs t h a t m e e t d a t a t h a t m e e t d a t a requests requests clarification (given reasons clarification (given reasons s h a r ii n g / d a t a s h a r n g / d a t a clarification clarification why) and asked toresubmit why) and asked toresubmit c o n f i d e n t a i l t i y s t a n d a r d s c o n f i d e n t i a l i t y s t a n d a r d s submission submission withclarification withclarification a n d g u i d e n l i e s a n d g u i d e i l n e s 5
Recommend
More recommend