1 MD-VIPER Medical Device Vulnerability Sharing Stakeholders - - PowerPoint PPT Presentation

▶

Apr 09, 2024 322 likes •444 views

1 MD-VIPER Medical Device Vulnerability Sharing Stakeholders including manufacturers, healthcare delivery organizations (HDOs), independent security researchers, regulatory agencies, etc. Benefits Sharing of reports on known

SLIDE 1

SLIDE 2

Medical Device Vulnerability Sharing Stakeholders

including manufacturers, healthcare delivery organizations (HDOs), independent security researchers, regulatory agencies, etc.

Benefits – Sharing of

 reports on known vulnerabilities  vetting and evaluation of vulnerabilities  details of actions taken by others to mitigate vulnerabilities  medical device cybersecurity education, best practices, mitigation strategies

MD-VIPER

SLIDE 3

MD-VIPER Vulnerability Report for Manufacturers The MD-VIPER Vulnerability Report is designed to serve as an alternate reporting process to FDA’s requirements for 21 CFR Part 806 reporting if cybersecurity vulnerabilities are involved. Manufacturers are not held to 21 CFR Part 806 reporting requirements if

 the manufacturer is a active participant in an ISAO (such as NH-ISAC)  the manufacturer is conducting a correction/removal to address a cybersecurity vulnerability  the cybersecurity vulnerability in question has not led to any known serious injuries or deaths  the manufacturer will meet the timeline criteria for communicating to its customers and then validating and distributing the deployable fix such that the residual risk is brought to an acceptable level

MD-VIPER

SLIDE 4

Manufacturer completes and submits the MD-VIPER Manufacturer Vulnerability Report (including any amendments, updates & corrections) and indicates if submission is to be treated as Protected Critical Infrastructure Information (PCII) MD-VIPER validates submission MD-VIPER Vulnerability Report Database (encrypted) Manufacturer notified that submitted report needs clarification (given reasons why) and asked toresubmit withclarification Manufacturer A “trusted participant in the MD-VIPER” MD-VIPER accepts submission Yes Manufacturer automatically receives e-mail notice that submission has been accepted and included in database MD-VIPER requests clarification submission No Manufacturer determines it has a MD-VIPER reportable vulnerability Analysis of Data by MD-VIPER Analysis Reports available to interested parties Manufacturer has additional or corrected information regarding a previously reported vulnerability

Existing Report New Repor t

Data & submissions (proprietary and patient dataredacted) that are nototherwise coded as PCII in submission are viewable to stakeholders

PROVISIONAL: MD-VIPER Vulnerability Report Flow

C C

r d d ii n n a a t t e e d d V V u u ll n n e e r r a a b b ii ll ii t t y y D D ii s s c c ll

s u u r r e e F F D D A A II S S C C

C E E R R T T U U S S

C E E R R T T II S S A A O O s s / / II S S A A C C s s Mfg authorizes Coordinated Disclosure MD-VIPER 3rd party completes and submits the 3rdparty and manufacturer MD-VIPER database updated 3rdparty MD-VIPER Manufacturer Vulnerability Report (submitted securely via web) Manufacturer completes and submits the MD-VIPER Manufacturer Vulnerability Report (including any amendments, updates & corrections) and indicates if submission is to be treated as Protected Critical Infrastructure Information (PCII) MD-VIPER validates submission Manufacturer notified that submitted report needs clarification (given reasons why) and asked toresubmit withclarification Is submission Appropriate/ Complete? Manufacturer A “trusted participant in the MD-VIPER” accepts submission Yes MD-VIPER Manufacturer automatically receives e-mail notice that submission has been accepted and included in database MD-VIPER requests clarification submission No Manufacturer determines it has a MD-VIPER reportable vulnerability Manufacturer has additional orcorrected information regarding a previously reported vulnerability

Existing Report New Report

3rdparty and manufacturer automatically receive e-mail notice that submission has been provisionally accepted and included in database Start

Medical Device Vulnerability Reporting Workflow

(HDOs, security researchers/consultants) via MD-VIPER web MD-VIPER 3rd party Vulnerability Report (including any amendments, updates &corrections) and indicates if submission is to be treated asProtected Critical Infrastructure Information (PCII) 3rd party Vulnerability Report (submitted securely via web)

3 party determines it has aMD-VIPER reportable vulnerability 3rd party (non- manufacturer) is registered inMD-VIPER MD-VIPER validates submission Issubmission Appropriate/ Complete? Yes MD-VIPER accepts submission No 3rd party notified that submitted report needs clarification (given reasons why) and asked toresubmit withclarification MD-VIPER generated reports MD-VIPER generated reports t t h h a a t t m m e e e e t t d d a a t t a a s s h h a a r r ii n n g g / / d d a a t t a a c c

n f f i i d d e e n n t t i i a a l l i i t t y y s s t t a a n n d d a a r r d d s s a a n n d d g g u u i i d d e e l l i i n n e e s s MD-VIPER requests clarification submission

by Manufacturer

SLIDE 5

MD-VIPER Manufacturer Vulnerability Report (submitted securely via web) Manufacturer completes and submits the MD-VIPER Manufacturer Vulnerability Report (including any amendments, updates & corrections) and indicates if submission is to be treated as Protected Critical Infrastructure Information (PCII) MD-VIPER validates submission MD-VIPER Vulnerability Report Database (encrypted) Manufacturer notified that submitted report needs clarification (given reasons why) and asked toresubmit withclarification Is submission Appropriate/ Complete? Manufacturer A “trusted participant inthe MD-VIPER” accepts submission Yes MD-VIPER Manufacturer automatically receives e-mail notice that submission has been accepted and included in database MD-VIPER requests clarification submission No Manufacturer determines it has a MD-VIPER reportable vulnerability Analysis of Data by MD-VIPER Analysis Reports available to interested parties Manufacturer has additional orcorrected information regarding a previously reported vulnerability

Existing Report New Report

Data & submissions (proprietary and patient dataredacted) that are nototherwise coded as PCII in submission are viewable to stakeholders C C

r d d ii n n a a t t e e d d V V u u ll n n e e r r a a b b ii ll ii t t y y D D ii s s c c ll

s u u r r e e F F D D A A II S S C C

C E E R R T T U U S S

C E E R R T T II S S A A O O s s / / II S S A A C C s s Mfg authorizes Coordinated Disclosure 3rd party completes and submits the MD-VIPER 3rd party Vulnerability Report (including any amendments, updates &corrections) and indicates if submission is to be treated asProtected Critical Infrastructure Information (PCII) MD-VIPER validates submission 3rd party notified that submitted report needs clarification (given reasons why) and asked toresubmit withclarification 3rd party (non- manufacturer) is registered inMD-VIPER MD-VIPER accepts submission 3rdparty and manufacturer automatically receive e-mail notice that submission has been provisionally accepted and included in database MD-VIPER requests clarification submission 3rd party determines it has aMD-VIPER reportable vulnerability Yes No Start MD-VIPER database updated 3rdparty Manufacturer notified that submitted report needs clarification (given reasons why) and asked toresubmit withclarification MD-VIPER requests clarification submission MD-VIPER 3rd party completes and submits the 3rdparty and manufacturer automatically receive e-mail notice that submission has been provisionally accepted and included in database 3rdparty

Start Manufacturer

Medical Device Vulnerability Reporting Workflow by Non-manufacturer

n f f i i d d e e n n t t i i a a l l i i t t y y s s t t a a n n d d a a r r d d s s a a n n d d g g u u i i d d e e l l i i n n e e s s MD-VIPER requests clarification submission

(researcher, healthcare delivery org, ICS-CERT, patient, etc.)

SLIDE 6

MD-VIPER Manufacturer Vulnerability Report (submitted securely via web) Manufacturer completes and submits the MD-VIPER Manufacturer Vulnerability Report (including any amendments, updates & corrections) and indicates if submission is to be treated as Protected Critical Infrastructure Information (PCII) MD-VIPER validates submission clarification (given reasons why) and asked toresubmit withclarification Is submission Appropriate/ Complete? Manufacturer A “trusted participant in the MD-VIPER” accepts submission Yes MD-VIPER Manufacturer automatically receives e-mail notice that submission has been accepted and included in database MD-VIPER requests clarification submission Manufacturer determines it has a MD-VIPER reportable vulnerability Analysis of Data by MD-VIPER Manufacturer has additional orcorrected information regarding a previously reported vulnerability

Existing Report New Report

C C

r d d i i n n a a t t e e d d V V u u ll n n e e r r a a b b ii ll ii t t y y D D i i s s c c l l

s u u r r e e F F D D A A II S S C C

C E E R R T T U U S S

C E E R R T T I I S S A A O O s s / / I I S S A A C C s s MD-VIPER 3rdparty Vulnerability Report (submitted securely via web) 3rd party completes and submits the MD-VIPER 3rdparty Vulnerability Report (including any amendments, updates &corrections) and indicates if submission is to be treated asProtected Critical Infrastructure Information (PCII) MD-VIPER validates submission 3rd party notified that submitted report needs clarification (given reasons why) and asked toresubmit Is submission Appropriate/ Complete? 3rd party (non- manufacturer) is registered inMD-VIPER submission 3rdparty and manufacturer automatically receive e-mail notice that submission has been provisionally accepted and included in database MD-VIPER requests clarification submission

3 party determines ithas aMD-VIPER reportable vulnerability Yes MD-VIPER No Start MD-VIPER database updated 3rdparty MD-VIPER Vulnerability Report Database (encrypted) Analysis of Databy MD-VIPER Analysis Reports available to interested parties (HDOs, security researchers/consultants) via MD-VIPER web Data & submissions (proprietary and patient data redacted) that are not otherwise coded as PCII in submission are viewable to stakeholders C C

r d d ii n n a a t t e e d d V V u u ll n n e e r r a a b b ii ll ii t t y y D D ii s s c c ll

s u u r r e e F F D D A A II S S C C

C E E R R T T U U S S

C E E R R T T II S S A A O O s s / / II S S A A C C s s MD-VIPER generated reports MD-VIPER generated reports t t h h a a t t m m e e e e t t d d a a t t a a s s h h a a r r ii n n g g / / d d a a t t a a c c

n f f i i d d e e n n t t i i a a l l i i t t y y s s t t a a n n d d a a r r d d s s Mfg authorizes Coordinated Disclosure MD-VIPER database updated MD-VIPER Vulnerability Report Database (encrypted) Analysis of Databy MD-VIPER Analysis Reportsavailable to interested parties (HDOs, security researchers/consultants) via MD-VIPERweb Data & submissions (proprietary and patient dataredacted) that are nototherwise coded as PCIIin submissionare v Manufacturer notified that iewableto sta submitted report needs keholders C C

r d d ii n n a a t t e e d d V V u u l l n n e e r r a a b b i i l l i i t t y y D D ii s s c c ll

s u u r r e e F F D D A A II S S C C

C E E R R T T U U S S

C E E R R T T I I S S A A O O s s / / I I S S A A C C s s accepts M M D D

V I I P P E E R R g g e e n n e e r r a a t t e e d d r r e e p p

r t t s s t t h h a a t t m m e e e e t t d d a a t t a a s s h h a a r r i i n n g g / / d d a a t t a a c c

n f f i i d d e e n n t t i i a a l l i i t t y y s s t t a a n n d d a a r r d d s s a a n n d d g g u u i i d d e e l l i i n n e e s s Mfg auNthoorizes Coordinated Disclosure MD-VIPER database updated

Medical Device Vulnerability Reporting Workflow

withclarification a a n n d d g g u u i i d d e e l l i i n n e e s s

Databa

PRs OV

e

ISIO

U

NAp L:d MD

a

IPe ER V

/

uln

A

era

n

bia litylR

y

s

rts Flo/ w Sharing

SLIDE 7

Enter MD-VIPER (full navigation without data access, input, search, or edit) EnterMD-VIPER (full navigation and data input capability but with report search & edit limited to registered MD-VIPER members associated with FDA registered company i.e., using 7 digit FDA registration no.) Guest Existing Registration Vulnerability Form (Select Create New

r Edit/Append

Existing) Create New Report Registration Complete application including principal contact info, list of additional contact names & e- mails, acceptance ofMD-VIPER terms &conditions NewRegistration Request full access (i.e., register) Approval Process MD-VIPER contacts requester toprovide assistance, validate/approve application and send login names & passwords to e- mail addresses provided Is registered user associated with theFDA registered company indicated in the existing report? Edit existing report fields and/or append files asapproprite Yes Enterexisting ReportNo. Edit/Append Existing Report Save data frequently (audit log files updated) Data Entry & Updates finished Complete report fieldsand append files as appropriate MD-VIPER e-mails confirmation to authorwith Report No. Enter in new Report No. E-mail notice sent to MD-Viper Team No Visitor given phone #or e-mail to contact MD- VIPER ... or visitor provides own contact info to MD-VIPER staff ... who in turnanswer questions and/or provide guidance Yes START MD-Viper SiteVisit Enter MD-VIPER (full navigation without data access, input, search, or edit) MD-VIPER Registration & Login EnterMD-VIPER (full navigation and data input capability but with report search & edit limited to registered MD-VIPER members associated with FDAregistered company i.e., using 7 digit FDA registration no.) Guest Existing Registration Registration Complete application including principal contact info, list of additional contact names & e- mails, acceptance of MD-VIPER terms &conditions NewRegistration Request full access (i.e., register) Approval Process MD-VIPER contacts requester toprovide assistance, validate/approve application and send login names & passwords to e- mail addresses provided Logout (or autologout) Does visitor want assistance? No Visitor given phone #or e-mail to contact MD- VIPER ... or visitor provides own contact info to MD-VIPER staff ... who in turnanswer questions and/or provide guidance Yes No

MD-VIPER Site Access

SLIDE 8

START MD-Viper SiteVisit Enter MD-VIPER (full navigation without data access, input, search, or edit) MD-VIPER Registration & Login EnterMD-VIPER (full navigation and data input capability but with report search & edit limited to registered MD-VIPER members associated with FDA registered company i.e., using 7 digit FDA registration no.) Guest Existing Registration Create New Report Registration Complete application including principal contact info, list of additional contact names & e- mails, acceptance of MD-VIPER terms &conditions NewRegistration Request full access (i.e., register) Approval Process MD-VIPER contacts requester toprovide assistance, validate/approve application and send login names & passwords to e- mail addresses provided Yes No Enterexisting ReportNo. Edit/Append Existing Report Save data frequently (audit log files updated) Data Entry & Updates finished MD-VIPER e-mails confirmation toauthor with Report No. Enter in new Report No. Does visitor want assistance? No Visitor given phone #or e-mail to contact MD- VIPER ... or visitor provides own contact info to MD-VIPER staff ... who in turnanswer questions and/or provide guidance Yes EnterMD-VIPER (full navigation and data input capability but with report search & edit limited to registered MD-VIPER members associated with FDAregistered company i.e., using 7 digit FDA registration no.) Vulnerability Form (Select Create New

r Edit/Append

Existing) Create New Report Is registered user associated with theFDA registered company indicated in the existing report? Edit existing report fields and/or append files asapproprite Yes Enterexisting ReportNo. Edit/Append Existing Report Save data frequently (audit log files updated) Data Entry & Updates finished Logout (or autologout) Complete report fieldsand append files as appropriate MD-VIPER e-mails confirmation to authorwith ReportNo. Enter in new Report No. E-mail notice sent to MD-Viper Team

Registered Member Login

MD-VIPER Site Access – Member Create / Modify Reports

SLIDE 9

MD-VIPER Vulnerability Report for Manufacturers The MD-VIPER Vulnerability Report is designed to serve as an alternate reporting process to FDA’s requirements for 21 CFR Part 806 reporting if cybersecurity vulnerabilities are involved.

 Questions 1-6 and 8-13 on the MD-VIPER report closely map to the questions in Part 806 reports  Question 7 on the FDA’s 806 report asks for a description of events leading the report and any actions taken while question 7 on the MD-VIPER report asks for details about the cybersecurity aspects of the vulnerability  Question 14 has been added to the MD-VIPER report to request that those responses to report questions containing information that could be exploited be treated as Protected Critical Infrastructure Information and therefore kept confidential

MD-VIPER

SLIDE 10