12 provides a general rule for the response timeframes (including interim compensating controls) for medical device vulnerabilities; this general rule is in line with expectations in the Postmarket Management of Cybersecurity for Medical Devices guidance. Table 12. Timeframes for Resolving Medical Device Vulnerabilities Vulnerability Criticality
Days
Uncontrolled Risk Vendor communicates to HDO; HDO determines interim mi�ga�on step
30 days
Vendor produces a risk remedia�on solu�on; HDO implements solu�on
60 days
Controlled Risk
As defined by rou�ne patching and preventa�ve maintenance
Software bill of materials (SBOM) and vulnerability lookups: Using SBOMs registered in the organization’s IT!M , the HDO can compare data from the NVD against data in the organization’s software libraries. This comparison provides the HDO with information on current potential vulnerability postures in the medical device space. A simple search of the NVD can be conducted by using the web interface located at https:// nvd.nist.gov/vuln/search. This search tool allows HDOs to look up vulnerabilities in products that they currently have. It does not require SBOM material to be preregistered.
Vulnerability scanning: The final action that an HDO can take to understand its vulnerability posture is to conduct vulnerability scans against the medical devices. WARNING: UNLESS APPROVED BY THE DEVICE VENDORS, THIS ACTION SHOULD BE TAKEN WITH EXTREME CAUTION DUE TO THE POTENTIAL IMPACTS ON MEDICAL DEVICES WITHIN THE PRODUCTION ENVIRONMENT. HDOS SHOULD NOT ATTEMPT TO CONDUCT VULNERABILITY SCANS UNLESS ABSOLUTELY CERTAIN THAT THE MEDICAL DEVICE IS NOT IN PRODUCTION, IS NOT CURRENTLY IMPLEMENTED IN A CLINICAL SETTING, AND IS NOT CONNECTED TO PATIENT. There are two opportune times to conduct vulnerability scans against medical devices: o
When the device is first procured and tested before deployment in the production environment
o
When a device is taken offline for preventative maintenance and routine patching
In both scenarios, it is important for the device to be in a highly controlled setting and not connected to a patient. A vulnerability scan can be configured to profile the device and determine whether potential vulnerabilities exist, or to confirm that vulnerabilities have been mitigated as part of a remediation or patching plan. 92
