The National Health Information Sharing and Analysis Center (NH-ISAC) and the Medical Device Innovation, Safety and Security Consortium (MDISS) Tuesday released a statement encouraging medical device researchers to comply with ISO/IEC standards and US Food & Drug Administration (FDA) recommendations on vulnerability disclosure.
The announcement comes in the wake of security research firm MedSec's controversial decision to partner with Muddy Waters to short-sell stock on medical device manufacturer St. Jude Medical. MedSec, via Muddy Waters, revealed only vague information about severe vulnerabilities in the company's implantable cardiac devices, rather than reporting the complete details of those vulnerabilities to the manufacturer or to the FDA or ICS-CERT (which are the official handlers of medical device safety and cybersecurity complaints/investigations).
Dr. Dale Nordenberg, Executive Director of MDISS, stated in the release, that “when identifying security vulnerabilities that may pose a risk to patients, it is critical that medical device researchers provide detailed engineering methods to support a timely collaborative peer review process by manufacturers, ICS-CERT, and the FDA of any potential medical device vulnerability.”
The FDA laid out its draft guidance for "Postmarket Management of Cybersecurity in Medical Devices" in January. NH-ISAC and MDISS will hold an educational workshop about these new FDA guidelines later this month in Minnesota; the workshop will be hosted by St. Jude Medical.