coordinated vulnerability disclosure 101 heading

A Coordinated Vulnerability Disclosure (CVD) refers to a specific structured process where vulnerabilities are reported to organizations in a manner allowing for diagnosis and remediation, before being released to third parties or the public. The CVD process comprises of the coordination between the reporting entities and organizations, with regard to the timing for both the remediation and publication of vulnerabilities. 

This blog post will explore the basics of CVD and what you need to be aware of. 

What makes CVD so important?

With the cybersecurity industry moving toward a harmonized approach to regulations and secure practices, information sharing becomes a vital tool in combatting threats and mitigating vulnerabilities across multiple sectors, particular healthcare. 

There are a number of ways in which information sharing is useful, ensuring that all affected parties are well informed about the potential risks. Some informative examples include: 

  • Which products are at risk and how they are affected
  • The vulnerabilities of components used in other products
  • IT equipment that may be impacting the security of medical devices
  • What the latest attacks are and their potential development for exploitation
  • Incident confirmation (E.g., “Are you also seeing this?”)
  • Patching availability and secure alternatives

When shared openly between the affected organizations, each of these examples can help contribute to a more unified approach to effective cybersecurity and sensitive information protection. CVD should be a part of a Medical Device Manufacturer (MDM)’s proactivity toward ensuring patient health and safety through device cybersecurity. 

What should medical device manufacturers do?

The first step for MDMs should be monitoring cybersecurity information sources in order to better identify and detect potential vulnerabilities and risk. Followed by investigating the adoption of a CVD policy and practice, such as the recommendation from ISO/IEC 29147 and acknowledging the submission of a vulnerability report within a specific time frame. 

The second step includes establishing a communication process for the vulnerability intake and handling in accordance with the ISO/IEC 30111 security techniques. Subsequently, MDMs should assess the reported vulnerabilities according to an established security and risk assessment methodology. An example of this could be the Common Vulnerability Scoring System (CVSS), which captures the characteristics of the vulnerability and assigns a numerical score to reflect its severity. 

Lastly, remediation, vulnerability mitigation or compensation tools should be established to report deployment failures or roll back changes. Engaging with regulators and communication with the relevant stakeholders will raise awareness of forthcoming vulnerability disclosures. This could include the scope, impact and risk assessment based off the MDMs current understanding and describe the mitigations or compensation controls.

What are the regulatory requirements for CVD?

Each of the regulations enforce a similar approach to CVD. The table below will help you identify the requirements for each.

table describing Coordinated Vulnerability Disclosure (CVD) requirements per medical device regulation

What is included in the total product lifecycle management plan?

A Total Product Lifecycle (TPLC) plan should be developed prior to the medical device’s market entry to monitor and respond to emerging and ongoing cybersecurity threats. It should apply throughout the entirety of your device’s lifecycle and includes: 

  • TPLC vigilance refers to proactivity in monitoring and identifying newly discovered cybersecurity vulnerabilities. This includes assessing their threat and responding.
  • Vulnerability disclosure is the formalized process of gathering info, developing mitigations and remediation strategies. The report is then shared with the relevant stakeholders.
  • Updates outline how software will preserve the ongoing safety and performance of the device. This is done either regularly or as part of the response.
  • Remediation accompanies updates in the future preservation of software for the ongoing safety of medical devices. This is done either regularly or as part of the response.
  • A recovery plan is necessary, preferably for both the user and manufacturer in case the device needs to be restored back to normal after a cyber incident.
  • Information sharing is encouraged through the Information Sharing and Analysis Centers (ISACs) or Information Sharing Analysis Organizations (ISAOs). These organizations and communities help to promote communication about security threats and vulnerabilities.

What does remediation involve?

Remediation refers to the process of mitigating and solving vulnerability issues before damage occurs to the medical device. Conducting vulnerability remediation is essential in reducing the risk of patient harm. 

The main pointers to be aware of include: 

  • A resolution timeline for when a fix will be made available 
  • A mechanism for resolution detailing when the patch deployment will occur 
  • Interim mitigation measures describing compensation tools and actions that should be taken until a more permanent solution arrives.

It’s in the MDMs best interest to include the remediation strategy as part of their incident response as well as reviewing it on a regular basis.

How do you prepare an incident response?

MDMs should prepare a response to cybersecurity incidents and events that may impact their products, customers and in particular, patients. As such, MDMs should establish an incident response management policy, based off the product portfolio, to be used exclusively by their incident response team.

The table below highlights the necessary steps that need to be undertaken in order to comply with the ISO/IEC 27035 standard.

table describing Coordinated Vulnerability Disclosure (CVD)'s incident management process for medical devices

How does the CVD interact with the NIS2 proposal?

In December 2020, the European Commission proposed NIS2 and on the 13 May 2022, it was accepted by the European Parliament in political agreement with the EU member states. 

The revised directive was tasked with strengthening the cybersecurity regulations in Europe. Part of the directive also establishes the framework for CVD and requires member states to designate Computer Security Incident Response Teams (CSIRTs) that intermediate and facilitate the interaction between the reporting parties and the MDMs or ICT products.  

According to Article 26 of NIS2, it’s up to the member states to ensure that essential entities can exchange relevant cybersecurity information among themselves. In particular, information relating to cyber threats, techniques and procedures, indicators of compromise, cybersecurity alerts, vulnerabilities and configuration tools. 

Do you have additional questions?

CVD is a relatively new subject matter for many MDMs and there are no doubt a number of common circulating questions:  

  • How do you capture and investigate vulnerabilities effectively when numbers increase year on year?  
  • How can you communicate new patches and mitigations efficiently to numerous clients simultaneously and ensure they take action?  
  • How can you reassure HDOs and Health Care Professionals (HCP) when a vulnerability makes a public headline, but isn’t impacting their MDMs product line?  

To address these issues and limitations in specialized personnel, Irdeto recently launched a vulnerability disclosure service to handle the process of investigating, confirming and resolving notified vulnerabilities. The cybersecurity service streamlines processes and closely follows the regulations, saving on the cost of an internal security disclosure team. 

Reach out to us and we will be happy to answer these and any others you may have.