Here is special announcement by the HIMSS Privacy and Security Committee from Dennis M. Seymour, CISSP, ITIL, Ellumen, former Chair, HIMSS Privacy and Security Committee, former Co-Chair, HIMSS Medical Device Security Task Force
HIMSS is pleased to announce that the revision of the Manufacturers Disclosure Statement for Medical Device Security (MDS2) standard has now been given final approval by the National Electronics Manufacturers Association (NEMA) Codes & Standards Committee, the highest ranking standards body within NEMA (read MITA press release).
The MDS2 standard, which is jointly published by NEMA and HIMSS, provides healthcare organizations with important information to assist them in evaluating vulnerabilities and risks related to the protection of private data transmitted or maintained by medical devices and systems.
The updated MDS2 is aligned with the latest standards for medical device security, such as IEC 80001, Application of Risk Management for IT-Networks Incorporating Medical Devices — Part 1: Roles, Responsibilities and Activities, and includes the following information provided by medical device vendors:
- Device Description
- Management of Private Data
- Security Capabilities
- Automatic Logoff
- Audit Controls
- Configuration of Security Features
- Cyber Security Product Upgrades
- Health Data De-Identification
- Data Backup and Disaster Recovery
- Emergency Access
- Health Data Integrity and Authenticity
- Malware Detection/Protection
- Node Authentication
- Person Authentication
- Physical Locks
- Roadmap for Third Party Components in Device Life Cycle
- System and Application Hardening
- Security Guidance
- Health Data Storage Confidentiality
- Transmission Confidentiality
- Transmission Integrity
- Other Security Considerations
The revised standard represents the third iteration of the MDS2. The original version was initially developed in 2003 by HIMSS and the American College of Clinical Engineering (ACCE) to address risks associated with medical device security in alignment with the requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In 2008, the MDS2 form underwent a second revision with HIMSS and NEMA partnering together to transform the MDS2 document into an officially recognized standard.
As mentioned previously, the most recent MDS2 is aligned with the latest standards for medical device security and represents three years of work by dedicated HIMSS members representing the HIMSS Privacy & Security Committee, Risk Assessment Work Group, and Medical Device Security Task Force as well as representatives from the American College of Clinical Engineering (ACCE) and the Medical Imaging and Technology Alliance (MITA) (which is a division of the National Electrical Manufacturers Association (NEMA)).
Over the past 10 years, the MDS2 has been used by medical device vendors to provide customers with information necessary to identify risks associated with their devices, as well as to include information from the vendor’s perspective on how their device meets or exceeds requirements from the various regulatory requirements.
HIMSS and the HIMSS Privacy and Security Committee applaud the efforts of the joint MITA/HIMSS/ACCE group to update the standard and expect that the new MDS2 will be an invaluable tool for its member organizations in the assessment of risk well into the future.
Stay tuned for further updates once final publication of the new MDS2 standard is announced.