Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

Good day!

Does anyone know of a standard, or guidance document, that identifies a specific/recommended time-frame for conducting a formal Vulnerability Assessment on in-house computer/IT systems?  

I work for a small US medical device manufacturer/distributor (to US and CA only), and I'm having trouble finding a definitive answer. I have read and understand how it should be an "ongoing", and "living", process, but I am trying to pin down whether there is a formal time-frame that we should be aware of.

Any help or direction is greatly appreciated. 

I am not aware of a specific requirement for this, but would recommend reviewing ISO 27001 for Information Security System and also ISO 22301 for Business Continuity.  These standards definitely talk about doing assessments of the systems: vulnerability, restoration, back-up, controls, access, etc., but not sure if there is a timeframe for that.

------------------------------
Richard Vincins RAC
Vice President Global Regulatory Affairs
------------------------------

Original Message:
Sent: 14-Nov-2018 09:08
From: Anonymous Member
Subject: Vulnerability Assessment of IT Systems - Medical Device Industry

This message was posted by a user wishing to remain anonymous

Good day!

Does anyone know of a standard, or guidance document, that identifies a specific/recommended time-frame for conducting a formal Vulnerability Assessment on in-house computer/IT systems?

I work for a small US medical device manufacturer/distributor (to US and CA only), and I'm having trouble finding a definitive answer. I have read and understand how it should be an "ongoing", and "living", process, but I am trying to pin down whether there is a formal time-frame that we should be aware of.

Any help or direction is greatly appreciated.

This message was posted by a user wishing to remain anonymous

Wonderful - Thank you so much for these references!  I will start reviewing right away.
Original Message:
Sent: 15-Nov-2018 04:09
From: Richard Vincins
Subject: Vulnerability Assessment of IT Systems - Medical Device Industry

I am not aware of a specific requirement for this, but would recommend reviewing ISO 27001 for Information Security System and also ISO 22301 for Business Continuity.  These standards definitely talk about doing assessments of the systems: vulnerability, restoration, back-up, controls, access, etc., but not sure if there is a timeframe for that.

------------------------------
Richard Vincins RAC
Vice President Global Regulatory Affairs

Original Message:
Sent: 14-Nov-2018 09:08
From: Anonymous Member
Subject: Vulnerability Assessment of IT Systems - Medical Device Industry

This message was posted by a user wishing to remain anonymous

Good day!

Does anyone know of a standard, or guidance document, that identifies a specific/recommended time-frame for conducting a formal Vulnerability Assessment on in-house computer/IT systems?

I work for a small US medical device manufacturer/distributor (to US and CA only), and I'm having trouble finding a definitive answer. I have read and understand how it should be an "ongoing", and "living", process, but I am trying to pin down whether there is a formal time-frame that we should be aware of.

Any help or direction is greatly appreciated.

Hi Anonymous,

I am NOT an expert, but I remember trying to set up something similar as part of a HIPAA program at a previous company.

A little googling found this reference to performing the scans quarterly.

Disclaimer: I have only a hand-wavy understanding of this side of things and sent it over the wall to the IT department. So take this with a huge grain of salt. 

PCI Requirement 11: Vulnerability Scans and Penetration Tests

SecurityMetrics		remove preview
PCI Requirement 11: Vulnerability Scans and Penetration Tests Whether you're aware of it or not, your network likely has vulnerabilities hackers could exploit. Defects in web servers, web browsers, email clients, POS software, operating systems, and server interfaces can allow attackers to gain access to an environment. View this on SecurityMetrics >

------------------------------
Karen Long RAC
Vancouver BC
Canada
------------------------------

Original Message:
Sent: 14-Nov-2018 09:08
From: Anonymous Member
Subject: Vulnerability Assessment of IT Systems - Medical Device Industry

This message was posted by a user wishing to remain anonymous

Good day!

Does anyone know of a standard, or guidance document, that identifies a specific/recommended time-frame for conducting a formal Vulnerability Assessment on in-house computer/IT systems?

I work for a small US medical device manufacturer/distributor (to US and CA only), and I'm having trouble finding a definitive answer. I have read and understand how it should be an "ongoing", and "living", process, but I am trying to pin down whether there is a formal time-frame that we should be aware of.

Any help or direction is greatly appreciated.

You might find the NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 helpful, as well: (https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf)

------------------------------
Jane Keathley
Principal Consultant
Earlysville VA
United States
------------------------------

Original Message:
Sent: 14-Nov-2018 09:08
From: Anonymous Member
Subject: Vulnerability Assessment of IT Systems - Medical Device Industry

This message was posted by a user wishing to remain anonymous

Good day!

Does anyone know of a standard, or guidance document, that identifies a specific/recommended time-frame for conducting a formal Vulnerability Assessment on in-house computer/IT systems?

I work for a small US medical device manufacturer/distributor (to US and CA only), and I'm having trouble finding a definitive answer. I have read and understand how it should be an "ongoing", and "living", process, but I am trying to pin down whether there is a formal time-frame that we should be aware of.

Any help or direction is greatly appreciated.

​The two FDA Guidance Documents ucm356190 and ucm482022 on management of cybersecurity in medical devices call for timely implementation of necessary actions to mitigate cybersecurity risks and reduce impact on patients without specifying any timeframe.

"Manufacturers are required to report uncontrolled vulnerabilities to FDA under 21 CFR 806.

FDA does not intend to enforce reporting requirements under CFR 806 if all of the following circumstances are met:

• No known serious adverse events or deaths associated with the vulnerability;
• Manufacturer meets timeline criteria:

          - Within 30 days provides notification to customers, interim control measures, and remediation plan
          - Within 60 days fixes the vulnerability, validates the change, and distributes the deployable fix to its customers and user community.

• The manufacturer actively participates as a member of an ISAO."

Source: https://www.fda.gov/downloads/MedicalDevices/NewsEvents/WorkshopsConferences/UCM606827.pdf

See also:

https://www.fda.gov/downloads/Training/CDRHLearn/UCM537944.pdf

https://mdviper.org/

https://mdviper.org/cybersecurity-vulnerabilities-reporting-process/fda-foundational-guidance/

Hope this helps.

------------------------------
Homi Dalal RAC
Regulatory Affairs Leader
Christchurch
New Zealand
------------------------------

Original Message:
Sent: 16-Nov-2018 09:52
From: Jane Keathley
Subject: Vulnerability Assessment of IT Systems - Medical Device Industry

You might find the NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 helpful, as well: (https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf)

<viewer-page-selector id="pageselector" class=""><cr-input id="pageselector" aria-disabled="false" aria-label="Page number" tabindex="0">

</cr-input></viewer-page-selector>

------------------------------
Jane Keathley
Principal Consultant
Earlysville VA
United States

Original Message:
Sent: 14-Nov-2018 09:08
From: Anonymous Member
Subject: Vulnerability Assessment of IT Systems - Medical Device Industry

This message was posted by a user wishing to remain anonymous

Good day!

Does anyone know of a standard, or guidance document, that identifies a specific/recommended time-frame for conducting a formal Vulnerability Assessment on in-house computer/IT systems?

I work for a small US medical device manufacturer/distributor (to US and CA only), and I'm having trouble finding a definitive answer. I have read and understand how it should be an "ongoing", and "living", process, but I am trying to pin down whether there is a formal time-frame that we should be aware of.

Any help or direction is greatly appreciated.

This message was posted by a user wishing to remain anonymous

Wonderful information - thank you so much!
Original Message:
Sent: 18-Nov-2018 16:32
From: Homi Dalal
Subject: Vulnerability Assessment of IT Systems - Medical Device Industry

​The two FDA Guidance Documents ucm356190 and ucm482022 on management of cybersecurity in medical devices call for timely implementation of necessary actions to mitigate cybersecurity risks and reduce impact on patients without specifying any timeframe.

"Manufacturers are required to report uncontrolled vulnerabilities to FDA under 21 CFR 806.

FDA does not intend to enforce reporting requirements under CFR 806 if all of the following circumstances are met:

• No known serious adverse events or deaths associated with the vulnerability;
• Manufacturer meets timeline criteria:

          - Within 30 days provides notification to customers, interim control measures, and remediation plan
          - Within 60 days fixes the vulnerability, validates the change, and distributes the deployable fix to its customers and user community.

• The manufacturer actively participates as a member of an ISAO."

Source: https://www.fda.gov/downloads/MedicalDevices/NewsEvents/WorkshopsConferences/UCM606827.pdf

See also:

https://www.fda.gov/downloads/Training/CDRHLearn/UCM537944.pdf

https://mdviper.org/

https://mdviper.org/cybersecurity-vulnerabilities-reporting-process/fda-foundational-guidance/

Hope this helps.

------------------------------
Homi Dalal RAC
Regulatory Affairs Leader
Christchurch
New Zealand

Original Message:
Sent: 16-Nov-2018 09:52
From: Jane Keathley
Subject: Vulnerability Assessment of IT Systems - Medical Device Industry

You might find the NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 helpful, as well: (https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf)

<viewer-page-selector id="pageselector" class=""><cr-input id="pageselector" aria-disabled="false" aria-label="Page number" tabindex="0">

</cr-input></viewer-page-selector>

------------------------------
Jane Keathley
Principal Consultant
Earlysville VA
United States

Original Message:
Sent: 14-Nov-2018 09:08
From: Anonymous Member
Subject: Vulnerability Assessment of IT Systems - Medical Device Industry

This message was posted by a user wishing to remain anonymous

Good day!

Does anyone know of a standard, or guidance document, that identifies a specific/recommended time-frame for conducting a formal Vulnerability Assessment on in-house computer/IT systems?

I work for a small US medical device manufacturer/distributor (to US and CA only), and I'm having trouble finding a definitive answer. I have read and understand how it should be an "ongoing", and "living", process, but I am trying to pin down whether there is a formal time-frame that we should be aware of.

Any help or direction is greatly appreciated.

This message was posted by a user wishing to remain anonymous

Thank you!
Original Message:
Sent: 16-Nov-2018 09:52
From: Jane Keathley
Subject: Vulnerability Assessment of IT Systems - Medical Device Industry

You might find the NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 helpful, as well: (https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf)

<viewer-page-selector id="pageselector" class=""><cr-input id="pageselector" aria-disabled="false" aria-label="Page number" tabindex="0">

</cr-input></viewer-page-selector>

------------------------------
Jane Keathley
Principal Consultant
Earlysville VA
United States

Original Message:
Sent: 14-Nov-2018 09:08
From: Anonymous Member
Subject: Vulnerability Assessment of IT Systems - Medical Device Industry

This message was posted by a user wishing to remain anonymous

Good day!

Does anyone know of a standard, or guidance document, that identifies a specific/recommended time-frame for conducting a formal Vulnerability Assessment on in-house computer/IT systems?

I work for a small US medical device manufacturer/distributor (to US and CA only), and I'm having trouble finding a definitive answer. I have read and understand how it should be an "ongoing", and "living", process, but I am trying to pin down whether there is a formal time-frame that we should be aware of.

Any help or direction is greatly appreciated.