CyberMed
ServicesSoftware DHFCyberSprintEventsResourcesGuideAboutContactBook a CallGet The Guide

Customer Communication

Post-Market Security Management · 2 min read

Customer communication for device security runs on advisories: clear, timely notices that name the affected products and versions, describe the vulnerability and its clinical impact, and tell customers exactly what to do. Notification speed scales with risk, from 24 hours for actively exploited critical issues down to the next update cycle for low-risk findings.

5.8.1 Building Your Communication Strategy

Effective communication can make the difference between orderly patching and chaos.

Communication Channels

Primary:

  • Email to security contacts
  • Customer portal notifications
  • Field service bulletins

Secondary:

  • Website security page
  • RSS feeds
  • Social media (carefully)

Emergency:

  • Phone calls for critical
  • On-site visits if needed
  • Regulatory coordination

5.8.2 Crafting Security Advisories

Your advisories should be clear, actionable, and timely:

Advisory Template:

# Security Advisory: SA-2024-001

## Summary
A vulnerability has been identified in [Device Name] that could 
allow [brief description]. This advisory provides guidance on 
assessing impact and applying available mitigations.

## Affected Products
- [Device Name] versions 1.0 through 2.5
- [Device Name] Lite all versions before 3.0

## Vulnerability Details
CVE-ID: CVE-2024-12345
CVSS Score: 7.5 (High)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

## Impact
If exploited, this vulnerability could allow an attacker to 
[specific impact]. In medical device context, this might result 
in [clinical impact].

## Mitigation
Patches are available:
- Version 2.6 for [Device Name]
- Version 3.0 for [Device Name] Lite

Temporary mitigation:
- Implement network segmentation
- Disable [specific feature] if not required

## Timeline
- 2024-01-15: Vulnerability reported
- 2024-01-30: Patch developed
- 2024-02-15: Customer notification

## Credit
We thank [Researcher Name] for responsible disclosure.

## Contact
Email: security@manufacturer.com
Support: 1-800-xxx-xxxx

5.8.3 Customer Notification Timelines

Base your timeline on risk and exploitability:

Risk Level Exploitation Notification Time
Critical Active 24 hours
Critical Possible 48-72 hours
High Any 5 business days
Medium Any 30 days
Low Any Next update cycle

5.8.4 Supporting Customer Response

Help customers implement fixes:

Provide:

  • Clear instructions
  • Risk assessment tools
  • Patch deployment guides
  • Validation procedures
  • Rollback instructions

Support:

  • Technical hotline
  • Implementation assistance
  • Q&A documents
  • Webinars for complex issues

See how your device measures up

Take the free FDA 524B readiness assessment and get a personalized gap report covering this topic and more.

Check Your Readiness