How You Can Use MDS2, IEC 80001-2-2 and IEC 80001-2-8 to Establish Foundational Security Requirements for Medical Devices  

If you are building a connected medical device, one of the first questions you should be asking yourself is: “What security features and capabilities should we consider?” It’s important to ask this at the start of the software development cycle so that security is ingrained into the product. In this blog post we are going to provide you with the tools you need to answer that question.  

It has been said that standards are the playbook for how the medical device industry solves many problems. Below we will take a look at how two standards (IEC/TR 80001-2-2 and IEC/TR 80001-2-8) can be used in tandem with the MDS2 form to inform the software development lifecycle. This approach can be broken into three key parts — establish, implement and communicate. 

How You Can Use MDS2, IEC 80001-2-2 and IEC 80001-2-8 to Establish Foundational Security Requirements for Medical Devices 

Manufacturer Disclosure Statement for Medical Device Security 

Before we get into the three pronged establish, implement and communicate approach, let’s first quickly recap the history of the MDS2 and how it relates to the above-mentioned standards.  

MDS2 stands for ‘Manufacturer Disclosure Statement for Medical Device Security’. The MDS2 is a voluntary standard that enables medical device manufacturers to provide healthcare delivery organizations with the crucial security information they need when making purchasing decisions. An MDS2 affords medical device manufacturers the opportunity to communicate this information through a form or questionnaire that is included as part of the standard. Medical device manufacturers answer a series of questions (216 questions that cover 23 security capabilities) about the device which can then be shared with the healthcare organization.  

The MDS2 is intended to be used as part of the security procurement process. The MDS2 clarifies roles and responsibilities of manufacturers and healthcare delivery organizations for the upkeep and maintenance of a connected device security posture. 

History of MDS2 and Relationship With IEC/TR 80001-2-2

                      • 2008 – MDS2 First Developed: The MDS2 was first developed as a joint standard in 2008 when NEMA, together with HIMSS, produced a short document template for manufacturers to use so that they could describe the vital security properties of their devices. This 3-page form contained a mere 41 questions which helped to describe such aspects as OS, PHI use, antivirus etc.    
                      • 2012 – Introducing IEC/TR 8001-2-2: IEC/TR 80001-2-2:2012 was published in 2012. The TIR presents a set of high-level security capabilities that are used as a starting point for discussions between device manufacturers and healthcare delivery organizations.  
                      • 2013 – Aligning MDS2 With IEC/TR 8001-2-2: The MDS2 was updated in 2013 and aligned with IEC 80001-2-2. This updated version of MDS2 delved into the nineteen security capabilities which were more relevant to connected technology advancements and an increasingly complex threat landscape.   
                      • 2019 – Updating and Improving the MDS2: The most recent version of MDS2 was released in 2019 and consists of 216 questions that cover 23 security capabilities. Once again, this updated version was published in response to an ever-evolving threat landscape. The more comprehensive list of questions addressed industry needs bringing more relevant security capabilities into the equation. 
                      • Unconfirmed future date – Aligning IEC/TR 8001-2-2 With MDS2: In 2013, IEC/TR 80001-2-2:2012 was used to strengthen the MDS2 standard. But now, the tables have turned. IEC/TR 8001-2-2 will soon be updated to be more aligned with the greatly improved MDS2 voluntary standard. 
How You Can Use MDS2, IEC 80001-2-2 and IEC 80001-2-8 to Establish Foundational Security Requirements for Medical Devices 

Using MDS2, IEC 80001-2-2 and IEC 80001-2-8 to Establish, Implement and Communicate Security Capabilities

1. Establish

For years IEC/TR 80001-2-2:2012 has been a commonly used resource for both medical device manufacturers and healthcare delivery organizations. The TIR presents a set of high-level security capabilities that are used as a starting point for discussions between device manufacturers and healthcare delivery organizations. Part of its popularity is due to its simple, straightforward approach that outlines 19 basic security capabilities. These can be regarded as potential security risk control options.  

The standard informs the software development cycle in several ways:  

                      • Security Disclosure Framework: The standard provides a framework for the disclosure of security-related capabilities and risks necessary for managing the risk in connecting medical devices to IT-networks.  
                      • Common Security Goals: The standard presents an informative set of common, high-level security-related capabilities useful in understanding the user needs, the type of security controls to be considered and the risks that lead to the controls.  
                      • Information Sharing: The security capability descriptions in the standard are intended to supply healthcare delivery organizations and medical device manufacturers with a basis for discussing risk and their respective roles & responsibilities toward its management.  

In this way, IEC/TR 80001-2-2:2012 helps medical device manufacturers to decide what security capabilities are missing/needed. However, while this standard helps you uncover what security capabilities are needed, it doesn’t explain how to implement them. That is where IEC/TR 80001-2-8 comes in.  

2. Implement

One of the challenges with IEC/TR 80001-2-2 is its lack of specific requirements. The general, high level security goals work well to inform healthcare providers, but this is not enough to guide design teams. 

For more in-depth information, organizations can use IEC/TR 80001-2-8. This standard takes the 19 security capabilities described in 80001-2-2, (reiterating the requirements, goals, and user needs for reference) and then maps a catalogue of technical operation and security controls. These controls act as a how-to guide, allowing a design team to select an appropriate standard and then ensure that each of the applicable security capabilities have been met.  

The standard also provides: 

                      • Security Controls “The How-To”: The standard addresses each of the security capabilities in IEC/TR 80001-2-2 and identifies catalogues of relatable security controls during product development and risk management activities, device implementation, supplier selection, device selection, operation etc. 
                      • Technical Cybersecurity Control Guidance: Provide manufacturers with a catalogue of technical security controls for the establishment of each of the 19 security capabilities during product development. 
                      • Through Life Cybersecurity Control Guidance: Provides hospitals with a catalogue of management, operational and administrative security controls to maintain the effectiveness of a security capability for a device on a healthcare IT network; 

In short, IEC/TR 80001-2-2 highlights what security capabilities are needed and IEC/TR 80001-2-8 shows how each of the security capabilities can be implemented. The two standards complement each other perfectly.  

3. Communicate

Once foundational security requirements have been established, all that is left is to find a way to communicate capabilities to buyers/healthcare delivery organizations. This is the true value of the MDS2.  

One of the reasons why IEC/TR 80001-2-2 and IEC/TR 80001-2-8 have proven so powerful is because of how they align with the MDS2. The security capabilities listed on the MDS2 form are the same as those described in IEC/TR 80001-2-2. This alignment brings perfect continuity between the development lifecycle and the process of communicating security capabilities to healthcare delivery organizations.    

The goal of the MDS2 is to communicate which security capabilities have been established. It used to be regarded as a failed mechanism to demonstrate this assurance but the 2019 version of MDS2 enhanced it from being a “checkbox exercise” to structuring it in such a way that context could be provided to demonstrate the security assurance of a connected medical device. In this way, the MDS2 becomes two things: 

                      • For healthcare providers; a supporting document to aid in the provider vendor/product selection process  
                      • For medical device manufacturers; a supporting document for requirements identification across the entire software/system development lifecycle as it is perfectly aligned with the two standards that guide your development process from a cybersecurity perspective.  

The advantages this brings simply cannot be overlooked.  

By using this approach you’ll create a strong foundation for your connected device cybersecurity posture, saving you time and money, whilst delivering safer products to market.  

Bonus: Encouraging a Better Approach to Cybersecurity 

The IEC/TR 80001-2-2 and IEC/TR 80001-2-8 standards encourage manufacturers to think about cybersecurity from the very beginning of the software development lifecycle and to continue doing so throughout the development process. These standards guide manufacturers toward the practice of having security “built-in” rather than what many might call “bolted-on” security solutions. This means that cybersecurity is ingrained into the very core of the product rather than being added on as an afterthought.  

This is a much better and more efficient approach. Why wait until the end of developing a product to uncover potentially costly and time-consuming issues with the cybersecurity of a device? This could, and should, be tackled at a much earlier stage.   

SelectEvidence™ And IEC/TR 80001-2-8 

Nova Leah is closely associated with the standards discussed in this blog post.  

Nova Leah Founder and CEO, Dr. Anita Finnegan, authored the international technical reports – IEC/TR 80001-2-8 and IEC/TR 80001-2-9. These standards have played a huge role in shaping the development of SelectEvidence™, which helps manufacturers meet FDA and EU cybersecurity premarket and post-market cybersecurity guidance expectations.  

SelectEvidence™ can be used to protect, assess, and continually monitor your connected devices.

Get in touch today to learn more.