Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing - encourages the development of Information Sharing Analysis Organizations (ISAOs), to serve as focal points for cybersecurity information sharing.
ISAO's are employed for the purpose of:
MedISAO understands the regulatory, safety, and business needs of the medical device industry. Our analysis, best-practices and information sharing is targeted directly to small-to-medium sized medical device manufacturers and service providers. Our community is dedicated to sharing relevant information on best practices, new threats and vulnerabilities.
Members of MedISAO get a head start in complying with cybersecurity guidances, real-time access to cybersecurity threats, tools and training from cybersecurity experts, and networking opportunities with other members.
MedISAO member organizations can avoid costly reporting procedures (21 CFR 806) when cyber vulnerabilities are discovered in the field, as long as certain conditions are met.
Member organizations can use MedISAO's Coordinated Vulnerability Disclosure process, which fulfills a key tenet of the FDA's Guidance on Postmarket Management of Cybersecurity in Medical Devices.
See our pricing page.
MedISAO's mission is to make everyone safer, by helping medical device manufacturers increase the security of their devices. In pursuit of this mission, MedISAO is committed to keeping membership fees low, so that small organizations can join.
Sponsor memberships help us to continue to focus on our mission, maintain our security processes, and produce cybersecurity training materials for all of our members.
Companies can avoid costly corrective action reporting requirements (21 CFR 806) by reporting vulnerabilities directly to MedISAO. However, this may cause concern that MedISAO does not adequately protect confidentional information of its members.
Any member that shares information with MedISAO will specify the level of visibility of that information using a "Traffic Light Protocol", based on the familiar concepts of green/yellow/red:
All confidential information is submitted on our secure webform (using the same TLS encryption as bank websites) and is stored in encrypted storage on our servers.
Alternatively, members can submit information via email with PGP encryption. Click here for our PGP public key.
Payment information is securely stored offsite via Stripe.
MedISAO runs a Coordinated Vulnerability Disclosure Program free for our members.
Report a vulnerability here, and we will share it securely with the affected member organization.
There are no minimum participation requirements for members, but obviously we encourage all members, individual and organizational, to participate and contribute as much as possible.
Specifically, we encourage members to: