The two FDA Guidance Documents ucm356190 and ucm482022 on management of cybersecurity in medical devices call for
timely implementation of necessary actions to mitigate cybersecurity risks and reduce impact on patients
without specifying any timeframe.
"Manufacturers are required to report uncontrolled vulnerabilities to FDA under 21 CFR 806.
FDA does not intend to enforce reporting requirements under CFR 806 if all of the following circumstances are met:
- No known serious adverse events or deaths associated with the vulnerability;
- Manufacturer meets timeline criteria:
- Within
30 days provides notification to customers, interim control measures, and remediation plan
- Within
60 days fixes the vulnerability, validates the change, and distributes the deployable fix to its customers and user community.
- The manufacturer actively participates as a member of an ISAO."
Source: https://www.fda.gov/downloads/MedicalDevices/NewsEvents/WorkshopsConferences/UCM606827.pdf
See also:
https://www.fda.gov/downloads/Training/CDRHLearn/UCM537944.pdf
https://mdviper.org/
https://mdviper.org/cybersecurity-vulnerabilities-reporting-process/fda-foundational-guidance/
Hope this helps.
------------------------------
Homi Dalal RAC
Regulatory Affairs Leader
Christchurch
New Zealand
------------------------------
Original Message:
Sent: 16-Nov-2018 09:52
From: Jane Keathley
Subject: Vulnerability Assessment of IT Systems - Medical Device Industry
You might find the NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 helpful, as well: (https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf)
<viewer-page-selector id="pageselector" class=""><cr-input id="pageselector" aria-disabled="false" aria-label="Page number" tabindex="0">
</cr-input></viewer-page-selector>
------------------------------
Jane Keathley
Principal Consultant
Earlysville VA
United States
Original Message:
Sent: 14-Nov-2018 09:08
From: Anonymous Member
Subject: Vulnerability Assessment of IT Systems - Medical Device Industry
This message was posted by a user wishing to remain anonymous
Good day!
Does anyone know of a standard, or guidance document, that identifies a specific/recommended time-frame for conducting a formal Vulnerability Assessment on in-house computer/IT systems?
I work for a small US medical device manufacturer/distributor (to US and CA only), and I'm having trouble finding a definitive answer. I have read and understand how it should be an "ongoing", and "living", process, but I am trying to pin down whether there is a formal time-frame that we should be aware of.
Any help or direction is greatly appreciated.