Frequently Asked Questions

What is an ISAO?
Why should I join MedISAO?
How much does it cost?
Why should my organization purchase a "Sponsor" membership?
How does MedISAO protect confidential information?
What are MedISAO's documented policies?
How do I report a vulnerability in a device?
What is expected of members?
Who is MedISAO?

What is an ISAO?

Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing - encourages the development of Information Sharing Analysis Organizations (ISAOs), to serve as focal points for cybersecurity information sharing.

ISAO's are employed for the purpose of:

Why should I join MedISAO?

MedISAO understands the regulatory, safety, and business needs of the medical device industry. Our analysis, best-practices and information sharing is targeted directly to small-to-medium sized medical device manufacturers and service providers. Our community is dedicated to sharing relevant information on best practices, new threats and vulnerabilities.

Members of MedISAO get a head start in complying with cybersecurity guidances, real-time access to cybersecurity threats, tools and training from cybersecurity experts, and networking opportunities with other members.

MedISAO member organizations can avoid costly reporting procedures (21 CFR 806) when cyber vulnerabilities are discovered in the field, as long as certain conditions are met.

Member organizations can use MedISAO's Coordinated Vulnerability Disclosure process, which fulfills a key tenet of the FDA's Guidance on Postmarket Management of Cybersecurity in Medical Devices.

How much does it cost?

See our pricing page.

How does MedISAO protect confidential information?

Companies can avoid costly corrective action reporting requirements (21 CFR 806) by reporting vulnerabilities directly to MedISAO.  However, this may cause concern that MedISAO does not adequately protect confidentional information of its members.

Any member that shares information with MedISAO will specify the level of visibility of that information using a "Traffic Light Protocol", based on the familiar concepts of green/yellow/red:

All confidential information is submitted on our secure webform (using the same TLS encryption as bank websites) and is stored in encrypted storage on our servers.

Alternatively, members can submit information via email with PGP encryption.   Click here for our PGP public key.

Payment information is securely stored offsite via Stripe.

What are MedISAO's documented policies?

How do I report a vulnerability in a device?

MedISAO runs a Coordinated Vulnerability Disclosure Program free for our members.

Report a vulnerability here, and we will share it securely with the affected member organization.

What is expected of members?

There are no minimum participation requirements for members, but obviously we encourage all members, individual and organizational, to participate and contribute as much as possible.

Specifically, we encourage members to:

Who is MedISAO?

MedISAO does not publish a complete list of member organizations, but you can see a partial list of members on the home page.

MedISAO is organized by Promenade Software, a medical device software company.

Learn about medical device cybersecurity

Subscribe to our email list for lessons, guides, and news.

We won't send you spam. Unsubscribe at any time.