MedISAO is an information sharing and analysis organization

MedISAO supports small and medium medical device manufacturers with meeting FDA postmarket requirements and enabling cybersecurity best practices.

Become a member Download brochure

MedISAO FAQs

What is an ISAO?

Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing - encourages the development of Information Sharing Analysis Organizations (ISAOs), to serve as focal points for cybersecurity information sharing.

ISAO's are employed for the purpose of:

Gathering and analyzing critical cyber and related information in order to better understand security problems and interdependencies related to cyber systems

Communicating or disclosing critical cyber and related information to help prevent, detect, mitigate, or recover from the effects of an interference, compromise, or incapacitation problem related to cyber systems

Voluntarily disseminating critical cyber and related information to its members; federal, state, and local governments; or any other entities that may be of assistance in carrying out the purposes specified above

Why should I join MedISAO?

MedISAO understands the regulatory, safety, and business needs of the medical device industry. Our analysis, best-practices and information sharing is targeted directly to small-to-medium sized medical device manufacturers and service providers. Our community is dedicated to sharing relevant information on best practices, new threats and vulnerabilities. Members of MedISAO get a head start in complying with cybersecurity guidances, real-time access to cybersecurity threats, tools and training from cybersecurity experts, and networking opportunities with other members. MedISAO member organizations can avoid costly reporting procedures (21 CFR 806) when cyber vulnerabilities are discovered in the field, as long as certain conditions are met.Member organizations can use MedISAO's Coordinated Vulnerability Disclosure process, which fulfills a key tenet of the FDA's Guidance on Postmarket Management of Cybersecurity in Medical Devices.

How much does a membership cost?

See our pricing page.

How does MedISAO protect confidential information?

Companies can avoid costly corrective action reporting requirements (21 CFR 806) by reporting vulnerabilities directly to MedISAO. However, this may cause concern that MedISAO does not adequately protect confidential information of its members.

Any member that shares information with MedISAO will specify the level of visibility of that information using a "Traffic Light Protocol", based on the familiar concepts of green/yellow/red:

White: No limits on publication -- can be shared with general public or news organizations

Green: Can be shared with other ISAOs and their members

Amber: Can be shared with organizational members of MedISAO, only if they have signed a NDA

Red: Cannot be shared at all

All confidential information is submitted on our secure webform and is stored in encrypted storage on our servers.

Payment information is securely stored offsite via Stripe.

What are MedISAO's documented policies?

Vulnerability Submission Handling Procedure

Participant Agreement

Mutual Confidentiality Agreement

Privacy Policy

Terms of Use

How do I report a vulnerability in a device?

MedISAO runs a Coordinated Vulnerability Disclosure Program free for our members.

Report a vulnerability, and we will share it securely with the affected member organization.

What is expected of members?

There are no minimum participation requirements for members, but obviously we encourage all members, individual and organizational, to participate and contribute as much as possible.

Who is MedISAO?

MedISAO does not publish a complete list of member organizations. MedISAO is organized by MedCrypt, a healthcare-first cybersecurity company.

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Preferences Deny Accept

Privacy Preference Center

When you visit websites, they may store or retrieve data in your browser. This storage is often necessary for the basic functionality of the website. The storage may be used for marketing, analytics, and personalization of the site, such as storing your preferences. Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may impact your experience on the website.

Reject all cookies Allow all cookies

Manage Consent Preferences by Category

Essential

Always Active

These items are required to enable basic website functionality.

Marketing

Essential

These items are used to deliver advertising that is more relevant to you and your interests. They may also be used to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the website operator’s permission.

Personalization

Essential

These items allow the website to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features. For example, a website may provide you with local weather reports or traffic news by storing data about your current location.

Analytics

Essential

These items help the website operator understand how its website performs, how visitors interact with the site, and whether there may be technical issues. This storage type usually doesn’t collect information that identifies a visitor.

Confirm my preferences and close