In-brief: A website run by the National Health ISAC will serve as a clearing house for information on security vulnerabilities in medical devices, the first of its kind in the US.
A medical device industry group and the Information Security Analysis Center for the healthcare sector, NH-ISAC, have teamed up on a web site that will act as a clearing house for information on medical device security vulnerabilities.
The Medical Device Vulnerability Intelligence Program for Evaluation and Response (MD-VIPER) was created by the Medical Device Security Information Sharing Council (MDSISC), part of the NH-ISAC, and the Medical Device Innovation, Safety & Security (MDISS) Consortium.
The new site is designed to meet FDA Postmarket regulatory guidance for cybersecurity vulnerability disclosure and reporting released last year and will provide a way for share information on vulnerabilities.
“The web services provide a means for all stakeholders in the medical device community to learn and mature efficient and value-added risk assessment, vulnerability information sharing, and surveillance components of a comprehensive ISAO,” NH-ISAC wrote in a statement on their website.
In addition to sharing information on medical device vulnerabilities, the MD-VIPER program is intended to “create an open community of medical device cybersecurity stakeholders” that includes manufacturers, healthcare delivery organizations (HDOs), independent security researchers, regulatory agencies, and so on,” NH-ISAC said. The site will provide awareness of medical device cyber security threats and promote best practices and mitigations for those threats.
Participants are not required to join MD-VIPER, but participation in an ISAO is called for by the FDA’s Postmarket guidance on management of cybersecurity in medical devices.
According tot he NH-ISAC website, participants should report vulnerabilities to the MD-VIPER portal as soon as they are verified, and regardless of whether a patch is available. Routine patches and low-priority security issues for which no patch is necessary need not be reported, NH-ISAC said. At the other end of the spectrum, an “exploited vulnerability that has resulted in serious patient harm or death” does not need to be reported, either. Existing FDA guidelines already mandate reporting such issues to that agency, making disclosure to MD-VIPER redundant.*
The FDA published its final postmarket guidance on medical device security in December, 2016. Like early drafts of the guidance, the final FDA guidance calls on medical device manufacturers to “implement comprehensive cybersecurity risk management programs” that include a way to handle complaints from customers and researchers, conduct quality audits of post market devices, perform software validation and risk analysis on medical devices and take corrective action to address known flaws.
Medical device manufacturers are advised to adopt a “coordinated vulnerability disclosure policy and practice” akin to what many software firms have implemented in recent years. Device makers are also urged to participate in an information sharing and analysis organization (ISAO) akin to those in the banking, energy and (more recently) automotive sectors. “Postmarket cybersecurity information may originate from an array of sources including independent security researchers, in-house testing, suppliers of software or hardware technology,” the document reads. “Sharing and dissemination of cybersecurity information and intelligence pertaining to vulnerabilities and threats across multiple sectors is integral to a successful postmarket cybersecurity surveillance program.”
Disclosure of security holes in medical devices has become a controversial topic since an August report by the Wall Street firm Muddy Waters Research called on investors to bet against (or “short”) stock in St. Jude Medical. That report was based on research on St. Jude’s products conducted by the independent research firm MedSec. That report set off a steep sell-off in St. Jude’s stock, but also raised concerns about the safety of implanted medical devices and other products.
(*) This paragraph was updated subsequent to publication to clarify confusing wording. PFR 2/21/2017