AAMI News November 2019
Standards Spotlight: Revised MDS2 Expands Documentation of Security Control Features
The National Electrical Manufacturers Association (NEMA) has published a revision of its Manufacturer Disclosure Statement for Medical Device Security (MDS2), providing device manufacturers with an expanded and standardized form for collecting data about their products’ security capabilities for customers.
The updated MDS2 calls for medical device manufacturers to use a new spreadsheet, which is included in the document, to describe their products’ security features in order to ease healthcare delivery organizations’ (HDOs’) efforts to perform risk assessments and protect the data created, received, transmitted, or maintained by their medical devices. HDOs can use data in the new MDS2 form to compare equipment from different manufacturers and make informed purchasing decisions that comply with their security and privacy policies.
The standard, ANSI/NEMA HN 1-2019, Manufacturer Disclosure Statement for Medical Device Security, consists of the MDS2 form and instructions for completing it. The standard represents a joint effort of the Healthcare Information and Management Systems Society and NEMA, and the MDS2 revision was led by NEMA’s Medical Imaging and Technology Alliance (MITA).
What is AAMI’s involvement in revising MDS2?
AAMI was a member of the working group that developed the new MDS2 standard, ANSI/NEMA HN 1-2019. The MDS2 revision will lead to the revision of the AAMI/ISO 80001-2 series, which provides guidance on managing cybersecurity for health IT networks, in order to align it with the changes to the capabilities in the new MDS2.
New AAMI Webinar
There’s a new version of MDS2 in town!—Thursday, December 19
Join us for a webinar hosted by the Health Technology Alliance (HTA) to learn about the new version of the Manufacturer Disclosure Statement for Medical Device Security (MDS2) form and why it’s important for your organization. Learn more.
Sponsored by HTA—a joint alliance of AAMI, ACCE, and HIMSS
“The new MDS2 form will help people who are purchasing equipment to understand the security capabilities of the device,” said Zack Hornberger, director of cybersecurity and informatics at MITA and convener for the standard development group. “It can also be the primary document manufacturers use to communicate how a device will securely interact with a customer’s clinical environment, how it can be configured to support secure use, and how it can be networked. The new form also provides an opportunity for manufacturers to alert their customers to additional security documentation when it is available.”
The updated standard, very simply put, is a more comprehensive version of the original, containing more than twice as many security control questions and new sections on remote service and administration capabilities, connectivity capabilities, software roadmaps, the management of personally identifiable information, and the software bill of materials (SBOM).
An SBOM lists software components incorporated into a device and is intended to help the purchaser with operational security planning for their institution. This effort in software transparency has been supported by several federal agencies including the Food and Drug Administration (FDA). While an SBOM is not mandatory, the updated form contains space for a manufacturer to indicate a device has an SBOM and if it contains specific high-level components.
“This is a lot more information for HDOs and a lot more work for manufacturers,” said Hornberger. “However, the manufacturers involved with this process have been more than willing to provide this information because they know it’s what their customers need to make the best decisions about security and to enable safe and secure operation of the devices in their environment.”
The MDS2 revision is the result of more than two years of work by a 40-member canvass group. The group was led by Robert Horn, the principal investigator at Fairhaven Technology in Maynard, MA, and included stakeholders from industry, academia, providers, health information technology companies, pharmaceutical companies, and federal agencies.
Horn, who was part of the original MDS2 genesis, expects the new standard to be adopted quickly.
“The rate at which the new MDS2 is picked up will be driven a lot by customers,” Horn said. “If customers are asking for this information as part of their procurement documents, then vendors will fill in the MDS2 forms.”
The canvass group designed the revised MDS2 spreadsheet to be applicable to devices “great and small,” Horn said, from hand-held, battery-powered glucose monitors to artificial intelligence-driven computerized tomography scanners. The standard provides detailed instructions for how to complete the spreadsheet. However, the MDS2 does not specify service processes, support commitments, or other activities that are better addressed via a business contract.