Granted, there are easier to decipher acronyms than the one describing the Manufacturer Disclosure Statement for Medical Device Security, short MDS2. The initial version was developed in 2008 through a cooperation of NEMA (National Electrical Manufacturers Association) and HIMSS’ (Health Information and Management Systems Society) Medical Device Security Task Force, in collaboration with multiple industry associations, government agencies and other stakeholders. It provided a basic, 3-page form allowing medical device manufacturers to describe to their customers, i.e. the hospitals, the basic security and privacy properties of a specific medical device; things like the operating system and version, type of network connection, the ability of the operator to install antivirus software, or what PHI (Protected Health Information) is stored on the device and whether it is transient or permanent.
Although the form fulfilled its purpose, there was also some criticism on this initial version, for example:
- It is purely voluntary and typically needs to be specifically requested by the purchasing entity. Only a few manufacturers have made it their practice to publish the MDS2 on their web page.
- Many manufacturers are not providing accurate information or fail to keep the MDS2 up to date, i.e. the provided form corresponds to a previous version of the product.
- A lot of the information to be provided was up to the manufacturer due to the extensive use of free comment fields (in fact, 1½ of the 3 pages).
- Since 2008, hacker attacks and malware have become increasingly sophisticated and the basic information provided on the initial version of the MDS2 does not meet the needs of hospital IT and Biomedical Engineering departments of 2013.
- Including networked medical devices in an organization’s security risk assessment (as required under HIPAA) is becoming common practice. With IEC 80001, a risk management standard specifically addressing the needs of the medical device ecosystem has become available, but the MDS2 was poorly aligned with it.
Addressing these concerns, NEMA recently released an updated 5-page version of the MDS2 form providing more granularity, and aligning it with the risk management requirements under the IEC 80001-1, and specifically IEC/TR 80001-2-2, “Guidance for the communication of medical device security needs, risks and controls”. The new form is available via the NEMA web site: http://www.nema.org/standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx (Oct. 2013).
The new version directly addresses above concerns 3 through 5 and it can be expected that increasing market pressure and customer demand (e.g. by making the MDS2 a standard requirement as part of the RFP and purchasing process) will address 1 and 2.
Besides alignment with IEC 80001, the new version provides more specificity and granularity to include:
- Information about additional data types like biometrics and financial.
- Authentication, authorization, and access management.
- Audit capability.
- Description of specific security capabilities, e.g. malware protection and removal, device hardening, patching.
- Description of specific information protection capabilities, e.g. encryption, backup, de-identification, external media handling.
One specific area of concern is the need for standardized communication of device privacy and security features from the manufacturer to the end user. In other words, only what is properly described and defined can be securely managed; for example a certain security vulnerability of a specific device may need to be mitigated through additional network security measures, e.g. firewalls.
In this context, manufacturers need to be aware of recent guidance provided by the Food and Drug Administration: “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”, http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf (June 2013). Although at this point the criteria and controls defined by the FDA are nonbinding, they do express the FDA’s thinking regarding anticipated requirements for cybersecurity capabilities of medical devices and their forthcoming relevance as part of the FDA’s premarket approval as well as postmarket surveillance processes.
Documentation of a device’s cyber security capabilities, including instructions for the end user, is a key requirement in the FDA guidance document. The new MDS2 is a key component in this communication process.
In an age of a rapidly evolving and highly sophisticated threat landscape, it is essential that medical device manufacturers as well as hospital IT and Biomedical Engineering departments cooperate closely with security experts, like Symantec, to assure best possible protection and reliability of their device networks. In the end, this is more than just the security of the devices and protection of a patient’s privacy - this is about quality of care and patient safety.