AAMI News February 2020

What You Need to Know About the New MDS2

Security Control
The revised MDS2 expands documentation of security control features for medical devices.

The National Electrical ManufacturersAssociation (NEMA) recently published an updated version of its standard, HN-1 Manufacturer Disclosure Statement for Medical Device Security (MDS2). The new version provides medical device manufacturers with an expanded MDS2 form to collect and report information related to their products’ security capabilities to their customers.

Prior to purchase, healthcare delivery organizations (HDOs) can use information in the new MDS2 to compare different models of similar products and make product selections that can help achieve their security goals. Following equipment acquisition, HDOs can then use information in the MDS2 to conduct security risk assessments and to make informed decisions on how best to securely configure the equipment in its operating environment.

The updated MDS2 calls for medical device manufacturers to use a new spreadsheet to describe their products’ security features in order to ease HDOs’ efforts to perform risk assessments and protect the data created, received, transmitted, or maintained by their medical devices.

Practical Advice for Using the New MDS2

In a Dec. 19 webinar, the Healthcare Technology Alliance—consisting of AAMI, the American College of Clinical Engineering, and the Healthcare Information and Management Systems Society—oriented participants to the new MDS2 form and explained why it’s important for medical device manufacturers and HDOs.

Steve Abrahamson
Steve Abrahamson

Steve Abrahamson, senior director of product cyber security at GE Healthcare, provided a manufacturer’s point of view of the new MDS2.

“One of the biggest challenges a manufacturer has is protecting a device that it does not own or operate,” said Abrahamson. “To enable secure operation, the manufacturer needs to share the responsibility with the device owner/operator. The new MDS2 is a tool the manufacturer can use to implement this shared responsibility.”

Abrahamson provided the following tips for medical device manufacturers for implementing the new MDS2:

  • Develop internal processes for creating new MDS2 forms.
  • Decide on the scope. For example, will you just include new products or will you include on-market and legacy products, too?
  • Conduct internal communication and training on the new MDS2 forms.
  • Create MDS2 content and forms for the devices you defined in your scope.
  • Follow internal review and approval processes for the new MDS2 documents.
  • Manage the forms within your company’s document management system.
  • Support National Telecommunications and Information Administration and industry efforts on defining the right process for defining the software bill of materials.
Stephen Grimes
Stephen Grimes

Stephen L. Grimes, principal consultant for Strategic Healthcare Technology Associates, provided insights from the perspective of healthcare providers.

For providers, “it is very important to remember that you are ultimately responsible for ensuring data security in your organizations, including the security of the medical devices you use,” he said.

Grimes offered the following information and advice for healthcare technology professionals at HDOs working with the new MDS2:

  • HDOs should reach out and attempt to obtain an MDS2 from the manufacturers of all microprocessor-based medical equipment in the HDO’s inventory.
  • Blank MDS2 forms (in spreadsheet format) can be downloaded online if a manufacturer hasn’t yet completed one.
  • HDOs should use the information in this tool to help conduct security risk assessments and to configure medical devices and their operating environments in a manner that best ensures security.
  • The new MDS2 now has a total of 225 manufacturer responses associated with 23 different security categories.
  • The form is meant to provide a simple, flexible way of reporting the technical, model-specific elements of information needed by an HDO to begin medical device security risk assessments (e.g., protecting data confidentiality, integrity, and availability).

Both Abrahamson and Grimes emphasized that data in MDS2 forms are only meaningful if they are considered within a comprehensive security risk management system and that providers must establish and implement their own security risk management processes while using manufacturers as a resource.

Who Worked on the New MDS2?

The MDS2 revision was led by the National Electrical Manufacturers Association’s Medical Imaging and Technology Alliance and is the result of more than two years of work by a 40-member canvass group. The group was led by Robert Horn, the principal investigator at Fairhaven Technology in Maynard, MA, and included stakeholders from industry, academia, providers, health information technology companies, pharmaceutical companies, and federal agencies.


What was AAMI’s Involvement in Revising MDS2?

AAMI was a member of the working group that developed the new MDS2 standard. The MDS2 revision will lead to the revision of the AAMI/ISO 80001-2 series, which provides guidance on managing cyber security for health information technology networks, in order to align it with the changes to the capabilities in the new MDS2.

More InfoAccess the recorded webinar, “There’s a New Version of MDS2 in Town” here. The MDS2 form is available for free download.