Cybersecurity needs ever-increasing attention as the networking and connectivity of medical devices expand. One way to better ensure the cybersecurity of health care equipment is the Manufacturer Disclosure Statement for Medical Device Security, commonly nicknamed the MDS2. It’s a standardized form filled out by medical device manufacturers to communicate information about their devices’ security and privacy characteristics – that is, the devices’ security profile. This information is intended for current device owners and potential buyers, typically healthcare delivery organizations (HDO).
Notes Chad Waters, senior project officer in ECRI’s Device Evaluation group, “The MDS2 provides an understanding of how a device handles sensitive information and interacts with a health care environment. This can be a helpful tool in procurement and be an aid in the secure implementation of a device.”
About the Form
The MDS2 was developed by the Healthcare Information and Management Systems Society (HIMSS) and the Medical Imaging and Technology Alliance (MITA), the medical device division of the National Electrical Manufacturers Association (NEMA). It is available for free from NEMA’s website.
A manufacturer’s answers to the questions in MDS2 forms can be used to conduct a high-level assessment of a product’s security profile. This can aid in a side-by-side comparison of different models (i.e., identifying high-level differentiators) during procurement. It can also serve as a tool for risk assessment, or to feed a governance, risk and compliance (GRC) system for further analysis. And it can be beneficial in assessing both newly purchased devices and legacy equipment for which an MDS2 form may not have been originally requested.
Currently, most manufacturers provide the form upon request. The form, introduced in 2004, was updated in 2013 and again in 2019. ECRI considers the 2019 version to be a substantial improvement, providing a lot more information. But earlier versions of the MDS2 are still in circulation. For many products, manufacturers are just now starting to complete the 2019 form. For other products, manufacturers may decide not to complete the new form at all, particularly for devices that are no longer being actively marketed.
“Medical device manufacturers encourage health delivery organizations to ask for and utilize the MDS2,” says Zack Hornberger, director of cybersecurity and informatics at MITA. “The 2019 document is the result of a years-long collaboration between device manufacturers, health delivery organizations, health IT professionals and other industry stakeholders to provide a comprehensive tool that helps everyone work together and improve health care cybersecurity.”
First Steps in Using the Form
If you are already successfully obtaining and analyzing MDS2 forms as a part of your purchasing process, there are further steps you can consider.
This article is adapted from material on ECRI’s website designed to help health care personnel cope with the growing number of cybersecurity threats. That article and many additional health-IT-related resources are available through membership in various ECRI programs, including its Capital Guide and Device Evaluation services. To learn more about ECRI’s technology decision support solutions, visit https://www.ecri.org/solutions/technology-decision-support, or contact ECRI at 610-825-6000, ext. 5891, or by email at email@example.com.
*By entering your email address, you agree to receive emails regarding TechNation Magazine, Webinars, and Exclusive Promos.
© 2020, TechNation Magazine. Site designed by MD Publishing, Inc.