By Melissa Lyder
The Manufacturer Disclosure Statement for Medical Device Security, or the MDS2, was originally created to address changes made to the Health Insurance Portability and Accountability Act, commonly known as HIPAA, in 2003. Its significance has altered since then as it takes the form of a primary resource for HTM professionals to make informed decisions about the security of their medical devices.
In 2003, HIPAA expanded to require the security of protected health information (PHI). This refers to the integrity, availability and confidentially of information such as patient names, addresses, Social Security numbers, and date of birth. As medical devices often contain PHI, the changes in HIPAA created a legal need to secure them.
Initially, this was done by hospitals reaching out to every manufacturer and requesting information. The information received would be specific to their device and its unique capabilities. However, there is a large amount of information needed to span all aspects of cybersecurity. This process of requesting this information from each manufacturer was tedious and inefficient. Thus, the Medical Device Security Workgroup was convened by HIMSS (Healthcare Information and Management Systems Society) in 2004. There were representatives from device manufacturers, regulatory agencies, health care providers and subject matter experts present. All parties gathered with the goal of forming a standard process for communication between users and manufacturers regarding the security of medical devices. They drafted the MDS2 which was released in 2004. The form was a comprehensive list of questions that detail the cybersecurity of a medical device. Manufacturers of the device will fill out the MDS2 and provide it to the health care facility upon request. It became a standardized way to communicate a large amount of data to different users and for hospitals to keep track of the security of their multiple devices.
Today’s MDS2 (ANSI/NEMA HN 1-2019 MDS2) was released in 2019. It was revised by National Electrical Manufacturers Association (NEMA) and Medical Imaging & Technology Alliance (MITA). MDS2 is split up into 23 sections covering a variety of security controls. There are 216 questions answered in total on the MDS2.
MDS2 details how data is stored and transmitted. Whether this is wirelessly or through a variety of physical mechanisms, all methods of transmitting data are accounted for in the questions. While all 216 questions are important in ensuring the security of medical devices, some questions are more relevant to the purchasing of the device and some to the maintenance. For example: Do service technicians have accounts? What permissions do they have? Can they install software patches? Can they do so remotely? Do they have access to the hard drive? Questions of this nature list the risks regarding maintenance of the specific device.
MDS2 has a section entitled Software Bill of Materials, often referred to as SBOM. The SBOM is a separate document that serves as another integral source for acquiring, installing, and maintaining cybersecurity of medical devices. The device’s SBOM lists all software components that are incorporated into the device. It is an inventory, listing all libraries and packages that are in the application and the specifics of their usage. This is particularly important for remaining aware of open-source or third-party code, which can develop vulnerabilities if not properly maintained. Third-party material may be out of the control of the vendor, making it difficult to secure.
The SBOM is a resource for reviewing the security of the software before purchasing. It also provides insight for maintaining its cybersecurity as vulnerabilities in the device’s components may arise at any time. The device’s SBOM serves as a one sheet, a quick reference for identifying and remediating a security risk.
It is important to note that the MDS2 and SBOM provide static information. This requires monitoring of network traffic to understand what is happening with the devices in real time. Both are vital resources in device cybersecurity. A common use of the documents is to track software versions. The MDS2 records exactly what versions the device is running. Often when security risks or software bugs are announced, they are identified by what operating system the software runs on. This can be remediated by updating the software or patching the specific vulnerability. The reliable, simple way to ensure that all devices with that specific operating system are remediated, is to refer to the SBOM.
Overall having this information accessible allows the identification of vulnerabilities in advance before they become active threats. This ensures a high level of cybersecurity required for a reliable health care organization. An MDS2 is an essential resource for cybersecurity information directly from the device’s manufacturer. The SBOM details the exact components of a specific software, also serving as a primary documentation of the device. Both serve as a log of medical device cybersecurity information. Both MDS2 and SBOM allow anticipation of vulnerabilities. This provides the opportunity for resolution before they become active threats, and this is what makes MDS2 and SBOM so useful. As a best practice, HTM should be familiar with their devices’ MDS2 and SBOM and be ready to reference them in the event of a cybersecurity threat.
