top of page

IRVINE, Calif., Oct. 4, 2018 /PRNewswire/ -- MedISAO, a leading Information Sharing and Analysis Organization dedicated to medical device manufacturers, announced today that it has entered a memorandum of understanding with the U.S Food and Drug Administration (FDA)'s Center for Devices and Radiological Health (CDRH) and the National Health Information Sharing & Analysis Center, Inc. (NH-ISAC). MedISAO, the FDA and NH-ISAC have a shared interest in encouraging the identification, mitigation, and prevention of cybersecurity threats to medical devices.

Full Article:

31 views0 comments
14 views0 comments

Does your organization have a Coordinated Vulnerability Disclosure Process as advised by the FDA's Postmarket Cybersecurity Guidance?

MedISAO can take care of that for you!   We recently launched a Coordinated Vulnerability Disclosure (CVD) program that can get you started, or augment your already established process.        

What does it mean to be a part of this program?

MedISAO will act as a Coordinator for your Organization as defined in ISO/IEC 29147. It will host a form herewhere security researchers can submit vulnerability reports, and will forward those reports to your organization. On your organization's website and in documentation, you should direct users to this form as one of the accepted ways of submitting vulnerability information. Once the vulnerability has been verified and resolved or rejected by your organization, MedISAO will inform the reporter of actions taken, and disseminate advisories about the fix through its standard advisory process.

How can I sign up?

Email with your MedISAO username to start the process.

Are there any costs associated with this program?

The Coordinated Vulnerability Disclosure program is free for all organizational members.        

Does this mean I don't need to set up a Vulnerability Handling Program at my organization?

You still need to set up an internal vulnerability handling program at your organization that will handle vulnerability verification and response. For reference see  ISO/IEC 30111:2013 or  MedISAO's guide for how to set up a policy at your organization. If you need more help you can email us at any time.

My organization already has an established Coordinated Vulnerability Disclosure Process. Should I still join MedISAO's program?

Yes! In addition to your already established process, MedISAO can serve as an additional avenue for receiving vulnerability information.

634 views0 comments
bottom of page