What does the new MDS2 form mean for your medical devices?

por John R. Fischer, Senior Reporter | January 08, 2020
Cyber Security Health IT HTM Risk Management
A new year brings new changes to every business, and the medical equipment industry is no exception. One important change for stakeholders to be aware of in 2020 is the updated MDS2 form, the official document that lays out the security functions integrated within a specific medical device.

To help the industry know what to expect, the Health Technology Alliance recently held a webinar on the new form, hosted by Stephen L. Grimes and Steve Abrahamson.

“When we think about security, medical device manufacturers have long-standing, very mature processes for looking at risks associated with safety,” said Abrahamson, senior director of product cybersecurity at GE Healthcare. “That is focused on patient safety with an intended usage. Now we’re looking at security, which is about protecting the device and the data on the device. It requires a completely different view of risk management as it pertains to security.”
DOTmed text ad

Reveal Mobi Pro now available for sale in the US

Reveal Mobi Pro integrates the Reveal 35C detector with SpectralDR technology into a modern mobile X-ray solution. Mobi Pro allows for simultaneous acquisition of conventional & dual-energy images with a single exposure. Contact us for a demo at no cost.

Whereas previous versions focused primarily on protected health information, the updated form provides information on several items regarding risk functioning, and for the first time takes into account cybersecurity and interoperability risks.

Its structure consists of 216 questions — compared to the 41 listed in its initial MDS2 form released in 2004 — with new ones focused on audit control and cybersecurity upgrades such as critical features, functionality, vulnerability, and life cycle support. It also has 23 sections on security-related features, including news sections for remote services, the software bill of materials, malware prevention, node authentication and transmission integrity.

Users can use the form to cross-reference standards such as NIST controls and ISO rules, as well as check for information on several items important to risk function, such as the device itself, the understanding of potential threats, the impact of potential threats, and knowledge of how to implement security controls.

Grimes encourages providers to work with manufacturers when using or referencing the MDS2. He asserts that such a partnership is necessary for addressing the issues that arise from integrating a medical device with a new environment, other devices, and the types of professionals who use it.

“Ultimately, it’s the healthcare provider that is responsible for ensuring data security in their organization, including in the medical devices being used,” said Grimes. “The manufacturer isn’t responsible. They’re a partner in the process. Ultimately, it’s the organizations. In order to address that responsibility, you need to be working with the manufacturers to get this information from the MDS2.”

The form is intended for risk management, and recognized internationally. It should not be seen as a compliance checklist or a guide for the intended use of a device.

HTA is a collaboration among the Association for the Advancement of Medical Instrumentation (AAMI), Healthcare Information and Management Systems Society (HIMSS), and the American College of Clinical Engineering (ACCE).

It is accessible online, or can be requested from a manufacturer’s compliance departments.

Sam Lingam


January 09, 2020 09:15

Large part of what is now the MDS2 will inevitably immensely complicate professional clinicancs activity and the interchange of information.

Log inor Register

to rate and post a comment

You Must Be Logged In To Post A Comment