The FDA says that it doesn't aim to enforce urgent reporting on vulnerabilities -- if certain conditions are met. These include the important point that no serious issues or deaths are associated with the vulnerability, and that the manufacturer notifies users and improves its product or security enough to reduce (or eliminate) the risk. The draft guidelines add that the company should be part of, and share information with, the Information Sharing Analysis Organization (ISAO), a collaborative group where members pool cybersecurity information and possible risks. "The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices," it said in the statement. Only when we work collaboratively and openly in a trusted environment, will we be able to best protect patient safety and stay ahead of cybersecurity threats." The draft will be open to feedback for 90 days, then FDA will follow through with its final recommendations.
[Image credit: springm / Markus Spring/Flickr]