What is an MDS2?  

The MDS2 (Manufacturer Disclosure Statement for Medical Device Security) is a voluntary standard used by medical device manufacturers to communicate crucial security-related information to healthcare delivery organizations. The MDS2 affords medical device manufacturers the opportunity to communicate this information through a form or questionnaire that is included as part of the standard. Medical device manufacturers answer a series of questions (216 questions that cover 23 security capabilities) about the device which can then be shared with the healthcare organization. 

The MDS2 is intended to be used as part of the security procurement process. The MDS2 clarifies roles and responsibilities of manufacturers and healthcare delivery organizations for the upkeep and maintenance of a connected device security posture. The form is manufacturer-completed and provided to healthcare delivery organizations upon request. It’s the buyer’s responsibility to request an MDS2. It is not up to the manufacturer to provide it.

The MDS2 form is entirely optional. But while it is not mandatory to share it, most healthcare delivery organizations provide the questionnaire as part of the procurement process. When medical device manufacturers provide the MDS2 up front, they may be able to avoid additional lengthy questionnaires.

The MDS2 form was created as it became obvious that healthcare providers needed greater visibility into the security and privacy profiles of the devices they used. Without this level of visibility, healthcare providers cannot effectively assess the suitability of a connected device nor determine effective security controls, especially in relation to legacy devices. Without a proper system in place it becomes difficult for healthcare delivery organizations to truly evaluate the security posture of their connected medical device ecosystems.

The MDS2 standard was developed by Healthcare Information and Management Systems Society (HIMSS) and the National Electrical Manufacturers Association (NEMA), and most recently revised by NEMA and The Medical Imaging & Technology Alliance (MITA). 

The MDS2 Standard and Its Role in Medical Device Security

Development and History of MDS2 

The MDS2 form was first developed as a joint standard in 2008, when NEMA together with HIMSS and a number of other security experts and government agencies, produced a short document template for manufacturers to use in order to describe the vital security properties of their devices. This 3-page form contained 41 questions which helped to describe such aspects as OS, PHI use, antivirus etc.  
 
This form was updated in 2013 and aligned with IEC 80001-2-2 (Guidance for the disclosure & communication of medical device security needs, risk & controls). This standard defines the roles, responsibilities and activities that are necessary for risk management of IT-networks incorporating medical devices to address safety, effectiveness and data and system security. This updated version of MDS2 delved into nineteen security capabilities which were more relevant to connected technology advancements and an increasingly complex threat landscape.  
 
The most recent version of MDS2, released in 2019 by MITA and NEMA, consists of 216 questions that cover 23 security capabilities. Once again, this updated version was published in response to an ever-evolving threat landscape. The more comprehensive list of questions addressed industry needs bringing more relevant security capabilities into the equation and required device manufacturers to further describe their products’ security features. This was necessary to ease healthcare delivery organizations’ efforts to perform risk assessments and protect the data created, received, transmitted, or maintained by their medical devices. 

MDS2s And SBOMs 

We have previously discussed the importance of software bill of materials (SBOMs) when it comes to securing connected medical devices. An SBOM provides a list of all software components within a given device including drivers, software licenses, operating systems etc. In a previous post we mentioned how, given obvious similarities, an SBOM is often depicted as a nutrition label or ‘ingredients list’ for software.  

While SBOMs can be seen as the ingredients list, MDS2s are more like the nutritional facts of a product. The MDS2 captures and contextualizes security information through a list of short questions that cover a range of topics.  

Most of the questions use a simple yes or no format so that there’s little room for interpretation and confusion. Within the form there are questions related to; the management of personally identifiable information, authorization, audit controls, cybersecurity upgrades, patching, data backup and disaster recovery, connectivity capabilities, and personal authentication, amongst other security considerations.  

More specifically, the information provided in the MDS2 provides answers to questions such as: 

                        • How can the connected medical device be patched?  
                        • Does it require physical access, or can updates be provided remotely?  
                        • Can the operator install patches on their own, or does it all need to go through the vendor? 
                        • Are there any built-in security safeguards and capabilities such as encryption, auto-logoff, malware detection, or physical locks? 
                        • Does the device have anti-malware software? If not, can it be installed by the operator?
                        • What types of private data are stored on the device, and how are they transmitted? 

In many cases, the MDS2 form is the best way to find out about the components of a connected medical device that could present a serious cybersecurity risk and how to best handle any issues when they occur. In many ways, the MDS2 is the gold standard of guidelines for medical device security. 

Understanding the MDS2 Standard

Key Benefits of Using MDS2s 

The benefits for using an MDS2 include: 

                        • It provides a comprehensive set of medical device security questions developed through broad stakeholder participation and medical device vendor buy-in. This helps to provide a baseline standard of security expectations.  
                        • It facilitates the review of the large volume of security-related information supplied by manufacturers. 
                        • It allows for easy comparison of security features across different devices and different manufacturers. This is one of the reasons why the HSCA (Healthcare Supply Chain Association) stated the following when discussing key cybersecurity challenges facing medical device manufacturers and HDOs: 

HDOs should avoid acquiring devices for which a supplier is unable or unwilling to provide a Manufacturer Disclosure Statement for Medical Device Security (MDS2) utilizing the most recent template. Where suppliers provide MDS2s, those MDS2s should be reviewed by HDO network security teams, or their designated third party, prior to the purchase, use, or implementation of any medical device. All medical devices and services should be installed and operated in a manner consistent with the organization’s security policies and practices.” 

SelectEvidence and MDS2s 

SelectEvidence® is an expert cybersecurity risk assessment platform that guides medical device manufacturers through the process of identifying applicable vulnerabilities and identifying the right security controls to mitigate those risks. It provides manufacturers with an intelligent, automated, and traceable approach to cybersecurity assessments.  

SelectEvidence® automatically generates MDS2 forms and reports for medical device manufacturers. SelectEvidence® automatically responds to each of the questions relating to the security capabilities. Answers are based on findings from the risk assessment.

If you want to learn more about the importance of MDS2s and using SelectEvidence in your risk management process, you can speak to one of our team today. To get in touch, please fill in the form on our contact page.