Share this article on:
The Medical Imaging & Technology Alliance (MITA) has released a new medical device security standard which provides healthcare delivery organizations (HDOs) with important information about risk management and medical device security controls to harden the devices against unauthorized access and cyberattacks.
The new voluntary standard – Manufacturer Disclosure Statement for Medical Device Security (MDS2) (NEMA/MITA HN 1-2019) – was developed in conjunction with a diverse range of industry stakeholders and aligns with the 2018 U.S. Food and Drug Administration (FDA) Medical Device Cybersecurity Playbook, issued in October 2018.
The guidance explains that cybersecurity of medical devices is a shared responsibility. HDOs must collaborate with medical device manufacturers to ensure best practices are adopted. Device manufacturers, HDOs, government entities, and cybersecurity researchers need to work together to ensure threats to medical devices are managed and reduced to reasonable and appropriate levels.
The new standard is intended to help streamline communications between device manufacturers and HDOs, increase transparency of information, and clarify the roles of each with respect to the security of medical devices.
“Transparent information and speed of getting that information from manufacturers to health delivery organizations are crucial, and this Standard helps foster both,” said Tim Walsh, Principal Information Security Analyst – CIS Operations, Mayo Clinic, and member of the MDS2 Canvass Group.
The guidance includes information on the standard security controls incorporated into medical devices to ensure they meet industry standards and can be used safely and securely; however, it is the responsibility of HDOs to ensure that the devices are configured correctly. HDOs need to assess medical device security controls and determine whether they are appropriate, work within their own environments, and allow risk to be effectively controlled and managed.
Worksheets have been created for assessing the features and security capabilities of each medical device, including the specifications, the management of personally identifiable information, audit controls, authorization controls, data backup and disaster recovery functions, data integrity controls, anti-malware protections, connectivity, node authentication, security guidance, how cybersecurity upgrades will be performed throughout the lifecycle of devices, and other key information for HDOs.
Medical device manufacturers should complete the worksheets to provide HDOs with the technical information they will need to conduct their own security risk assessments and build their security risk management programs.
While the MDS2 form contains important technical information on medical devices, MITA warns that it is not intended to be used as the sole basis for medical device procurement, as writing medical device procurement specifications requires more extensive knowledge of an HDO’s security environment and healthcare mission.
The information on the MDS2 form must be combined with detailed information collected about the care delivery environment in which the devices will be used. Tools such as ECRI’s Guide for Information Security for Biomedical Technology are useful in this regard.