MDIC Releases Report on Medical Device Cybersecurity, Advancing Coordinated Vulnerability Disclosure

ARLINGTON, Va.–The Medical Device Innovation Consortium (MDIC) today released a report encouraging the adoption of coordinated vulnerability disclosure (CVD) policies by medical device manufacturers (MDMs) in an effort to promote medical device cybersecurity and patient safety.

“This paper advances an incredibly important topic in medical device cybersecurity—the adoption of coordinated vulnerability disclosure policies and processes,” said Dr. Suzanne Schwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health. “The FDA appreciated the opportunity to work with MDIC in developing this paper to better understand the barriers impeding adoption and to help influence conversations among medical device manufacturers about the value of working with security researchers and others who identify vulnerabilities so that the cybersecurity risk to products can be addressed in a timely and coordinated manner.”

MDIC collaborated with Debevoise & Plimpton LLP and Alvarez & Marsal on the creation of the medical device cybersecurity report which addresses the importance of CVD policies for MDMs and stakeholders across the medical device ecosystem, including the creation of publicly available online portals to solicit vulnerability information. The report is based on the feedback obtained during interviews with large and small medical device companies, leading security researchers, representatives of medical device trade associations, and FDA officials. It also includes an assessment of publicly available information issued by FDA and other stakeholders.

“This report encourages companies to leverage the benefits of a defined disclosure process as we work with critical stakeholders to advance medical device product security,” says Randy Schiestl, vice president of R&D at Boston Scientific Corporation and member of MDIC’s Board of Directors and Cybersecurity Steering Committee. “The report provides unique insights from many perspectives, including legal, for embracing coordinated disclosure.”

Medical device cybersecurity issues can be highly complex and fact-specific and therefore should be assessed by each MDM on a case-by-case basis with experienced legal counsel, taking into consideration a wide array of issues, including the specific product and related technology at issue. The cybersecurity report is intended to be used solely for informational purposes to promote and inform cybersecurity discussions among stakeholders in the medical device ecosystem.

“MDIC is focused on making meaningful contributions to advance medical device cybersecurity,” says Pamela Goldberg, CEO and president of MDIC. “The information in the report will better position medical device companies to establish their own cybersecurity portal systems as mechanisms for detecting cybersecurity threats, as well as aiding in their response process.”

The report is accessible online by visiting

About the Medical Device Innovation Consortium

Founded in 2012, the Medical Device Innovation Consortium (MDIC) is the first public-private partnership created with the sole objective of advancing medical device regulatory science throughout the total product life cycle. MDIC’s mission is to promote public health through science and technology and to enhance trust and confidence among stakeholders. MDIC works in the pre-competitive space to facilitate the development of methods, tools, and approaches that enhance understanding and improve evaluation of product safety, quality, and effectiveness. Its initiatives aim to improve product safety and patient access to cutting-edge medical technology while reducing cost and time to market. For more information, visit


Medical Device Innovation Consortium
Leah McConnell, +1 202-900-9099