Today the Food and Drug Administration (FDA) published a meeting notice in the Federal Register (80 FR 76022-76025) for a public workshop entitled “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity”. The two-day workshop will be held in Silver Springs, MD on January 20-21st, 2016. The workshop will be webcast.
According to the meeting notice the FDA, in conjunction with the National Health Information Sharing Analysis Center (NH-ISAC), the Department of Health and Human Services, and the Department of Homeland Security, wishes to address the following questions related to coordinated disclosure:
• How might the stakeholder community create incentives to encourage stakeholder participation?
• What do individual stakeholders need to understand and be aware of regarding coordinated disclosure?
• What current tools and models presently exist that may aid stakeholders in implementing disclosure and vulnerability management?
• How can the security researcher community work in collaboration with HPH stakeholders to identify, assess, and mitigate vulnerabilities?
Additional topics of interest include:
• Sharing FDA's current thinking on the implementation of the Framework in the medical device total product lifecycle.
• Adapting cybersecurity and/or risk assessment tools such as CVSS for the medical device operational environment.
• Adapting and/or implementing existing cybersecurity standards for medical devices.
• Understanding the challenges that manufacturers face as they increase collaboration with external third parties (cybersecurity researchers, ISAOs, and end users), to resolve cybersecurity vulnerabilities that impact their devices.
• Gaining situational awareness of the current activities in the HPH sector to enhance medical device cybersecurity.
• Identifying cybersecurity gaps and challenges that persist in the medical device ecosystem and begin crafting action plans to address them.
Those wishing to attend the workshop in person may register on-line. Early registration is recommended due to the limited seating at the venue.
Registration is not required for the web cast, but the web cast link will not be available until January 13th, 2016.
The FDA is soliciting public comments on the topics to be covered in the workshop. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FDA-2014-N-1286). Comments will be accepted until February 22, 2016.
The one thing that looks to be missing from this workshop is a discussion of how reported cybersecurity vulnerabilities will be related to device recalls. More on this in a later blog post.