By ECRI
Cybersecurity needs ever-increasing attention as the networking and connectivity of medical devices expand. One way to better ensure the cybersecurity of health care equipment is the Manufacturer Disclosure Statement for Medical Device Security, commonly nicknamed the MDS2. It’s a standardized form filled out by medical device manufacturers to communicate information about their devices’ security and privacy characteristics – that is, the devices’ security profile. This information is intended for current device owners and potential buyers, typically healthcare delivery organizations (HDO).
Notes Chad Waters, senior project officer in ECRI’s Device Evaluation group, “The MDS2 provides an understanding of how a device handles sensitive information and interacts with a health care environment. This can be a helpful tool in procurement and be an aid in the secure implementation of a device.”
About the Form
The MDS2 was developed by the Healthcare Information and Management Systems Society (HIMSS) and the Medical Imaging and Technology Alliance (MITA), the medical device division of the National Electrical Manufacturers Association (NEMA). It is available for free from NEMA’s website.
A manufacturer’s answers to the questions in MDS2 forms can be used to conduct a high-level assessment of a product’s security profile. This can aid in a side-by-side comparison of different models (i.e., identifying high-level differentiators) during procurement. It can also serve as a tool for risk assessment, or to feed a governance, risk and compliance (GRC) system for further analysis. And it can be beneficial in assessing both newly purchased devices and legacy equipment for which an MDS2 form may not have been originally requested.
Currently, most manufacturers provide the form upon request. The form, introduced in 2004, was updated in 2013 and again in 2019. ECRI considers the 2019 version to be a substantial improvement, providing a lot more information. But earlier versions of the MDS2 are still in circulation. For many products, manufacturers are just now starting to complete the 2019 form. For other products, manufacturers may decide not to complete the new form at all, particularly for devices that are no longer being actively marketed.
“Medical device manufacturers encourage health delivery organizations to ask for and utilize the MDS2,” says Zack Hornberger, director of cybersecurity and informatics at MITA. “The 2019 document is the result of a years-long collaboration between device manufacturers, health delivery organizations, health IT professionals and other industry stakeholders to provide a comprehensive tool that helps everyone work together and improve health care cybersecurity.”
First Steps in Using the Form
- Request an MDS2 form for each medical device. This should be done for every device in the current inventory and on an ongoing basis during prepurchasing – for example, in a request for information (RFI) or request for proposal (RFP) – or at the time of purchase in a purchase order and/or contract.
- Develop a clear policy for analyzing the form’s contents. IT and risk management should review the form to identify potential high-level differentiators that might influence a final purchasing decision. Keep in mind that all answers may not be applicable to each specific device, and risk should be assessed accordingly.
- When a form is received, verify that it is the most up-to-date version. If an outdated form is received, request that the manufacturer provide you with a filled-out form based on the 2019 version. The manufacturer should update MDS2 forms for each of its devices as new software versions are released.
- Check that the device software version matches the version described on the MDS2. Software versions in the MDS2 should correspond to the “to be shipped” version. If different versions of a device’s software are in use in the facility, an MDS2 should be provided for each version.
- Identify whether the unit stores, generates and/or transmits protected health information. The form will let you do this quickly. The form will also help you understand how much protected data is stored on the device (e.g., last patient only versus all history), the type of data, and whether it is permanent or temporary. If data is permanent, the manufacturer should provide instructions on how it can be purged.
- Determine whether the device’s security profile meets your facility’s requirements. Document whether the system meets your requirements as is, can be brought into compliance with compensating controls, or cannot meet your requirements even with compensating controls and thus should not be placed on the network. The majority of the questions are formatted to be answered with a response of “yes,” “no,” or “not applicable”; however, the instructions for some of the questions require technical details to be provided in the notes field, so scrutinize these fields closely. In addition, you should request any supplemental documentation available, including network diagrams, security documentation and Software Bills of Materials (SBoMs).
- Check that the manufacturer has filled the form out properly. Among the things to look for are repeated answers of “N/A,” or multiple instances of notes that are vague or conflicting or that contain no explanation. If insufficient information is provided in the MDS2 form, request that the manufacturer appropriately answer all questions, and/or request a conference call with the manufacturer’s technical team for clarifications.
Next Steps
If you are already successfully obtaining and analyzing MDS2 forms as a part of your purchasing process, there are further steps you can consider.
- Plan to include the 2019 form in your procurement process. Note that manufacturers are transitioning to this new form; while you can encourage them to adopt the 2019 version, we expect it to be a long process.
- If possible, include MDS2 forms, or a link to them, with the assets in your asset management database, CMMS or GRC system. This may facilitate future risk management efforts. It may also help in identifying affected units during ongoing security threats (e.g., ransomware attacks). ECRI is aware of these capabilities being offered by some computerized maintenance management system (CMMS) and GRC vendors. The 2019 form requires the information to be in spreadsheet format, which should enable the data to be imported into a CMMS or GRC system.
- Provide all parties involved (clinical engineering, IT, security) with access to MDS2 and supplemental documentation gathered.
- Periodically check for updated MDS2 forms to guide your ongoing risk management efforts. Additional software tools are available from CMMS vendors and third-party security vendors that can use MDS2 information in the creation of a risk profile or a risk score for a particular device. The MDS2 form is also harmonized with the requirements outlined in IEC 80001-2-2 to aid facilities that are currently in the process of or considering implementation of the IEC 80001-1 standard.
This article is adapted from material on ECRI’s website designed to help health care personnel cope with the growing number of cybersecurity threats. That article and many additional health-IT-related resources are available through membership in various ECRI programs, including its Capital Guide and Device Evaluation services. To learn more about ECRI’s technology decision support solutions, visit https://www.ecri.org/solutions/technology-decision-support, or contact ECRI at 610-825-6000, ext. 5891, or by email at clientservices@ecri.org.
