The FDA, alongside the National Health Information Sharing and Analysis Center (NH-ISAC) and the Medical Device Innovation, Safety and Security Consortium (MDISS), recently hosted a webinar to discuss a program called MD-VIPER, and how it supports the FDA’s Postmarket Management of Cybersecurity in Medical Devices Final Guidance.

The Medical Device Vulnerability Intelligence Program for Evaluation and Response, which launched December of last year in response to the FDA's postmarket guidance, is a community of health care industry stakeholders who, as a whole, evaluate medical device vulnerabilities in order to understand cybersecurity problems.

“We have several goals for this program,” said Jon Crosson, manager of special interest group services at NH-ISAC. “One is to share an evaluation and response service of vulnerabilities when it’s appropriate to do so.”

“The main goal is to support the FDA postmarket guidance and create an open community of medical device cybersecurity stakeholders,” he said. “Additionally, the program hopes to foster situational awareness of medical device threats, best practices and mitigation strategies.”

MD-VIPER is categorized as an information sharing and analysis organization (ISAO), which is any formal or informal entity created or employed by either public or private organizations. The purposes of ISAOs include gathering and analyzing, communicating and disclosing, and voluntarily distributing relevant information.

Dale Nordenberg, executive director of MDISS, said that a key attribute that will help measure the success of the program is the feedback provided by participants.

Manufacturers that encounter a problem can fill out a vulnerability report that collects information about the vulnerability and identifies what action the manufacturer has taken to address the risk of patient harm. In addition, MD-VIPER provides an in-depth strategy for reducing the probability of exploitation and/or the severity of patient harm.

“MD-VIPER would validate the submission, and it would either be accepted, or if there’s any clarification or additional information needed, it would be given back to the manufacturer to clean up the input and then it would be accepted,” said Steve Abrahamson, senior director of product cybersecurity at GE Healthcare.

Manufacturers are not the only ones who can fill out a vulnerability form. Third-parties are also able to input information that they have generated and bring that to the attention of the manufacturers.

According to Abrahamson, the benefits of medical device vulnerability include knowing the actions that others have taken to mitigate vulnerabilities.

Once information from the reports is stored into the database, manufacturers who need to address these vulnerabilities with other agencies or organizations are able to use the data for analysis and transparency, said Abrahamson.

The vulnerability report is considered an alternative reporting process to the FDA’s requirements for reporting cybersecurity vulnerabilities.

“Ultimately, we all need to measure our success based on our safety of privacy impact, and recognize that this is not an exclusion of the importance of new innovations … [and] business partners and stakeholders who are developing these important technologies or health care services using these new technologies,” Nordenberg said.

Participation in MD-VIPER is open to all medical device security stakeholders and is free and voluntary, though registration and signing a non-disclosure act are necessary.

Business Affairs Homepage