A New Way to Report Medical Device Vulnerabilities (InfoRiskToday)

A new website is now available for reporting medical device vulnerabilities, says Dale Nordenberg, M.D., executive director of the Medical Device Innovation, Safety and Security Consortium.

The Medical Device Vulnerability Intelligence Program for Evaluation and Response, or MD-VIPER, is a collaborative effort of MDISS and the National Health Information Security Analysis Center, Nordenberg explains in an interview with Information Security Media Group conducted at the HIMSS17 Conference in Orlando.

MD-VIPER is “finely tuned” for supporting the reporting of vulnerabilities that comply with certain criteria spelled out in the Food and Drug Administration’s recent guidance for post-market cybersecurity of medical devices, Nordenberg says. MD-VIPER provides an alternative to reporting a medical device cyber vulnerability to the FDA under regulation 21 CFR 806 as long as certain criteria are met, as spelled out in the FDA’s final post-market guidance for medical device cybersecurity, Nordenberg explains.

Once data is submitted to MD-VIPER, he notes, “it will only be shared as requested by the manufacturers so that there is tight control over getting the right information to the right parties at the right time.”

Among vulnerabilities that can be reported to MD-VIPER are any medical device cyber flaws that have the potential to cause harm, but have not yet led to actual harm, he says. If a cyber vulnerability has already caused harm, the manufacturer has to go “through a full traditional reporting pathway with the FDA,” he says.

In the interview (see audio link below photo), Nordenberg also discusses:

  • All parties, including independent researchers, who can report vulnerabilities using MD-VIPER;
  • Another collaboration involving MDISS and NH-ISAC: the National Medical Device Cyber Surveillance and Safety Network;
  • What the MDISS and NH-ISAC medical device cyber surveillance effort has in common with other public health and population health surveillance activities.

In addition to his role leading the MDISS, Nordenberg, a pediatrician, is CEO of the consulting firm Novasano Health and Science. He was a member of the Health IT Standards Committee of the Department of Health and Human Services’ Office of the National Coordinator for Health IT as well as the FDA’s National Evaluation System for Technology Planning Board. He also co-chairs the recently launched Medical Device Security Information Sharing Council for the NH-ISAC.

Source: SANS ISC SecNewsFeed @ February 20, 2017 at 09:39AM

0
Share