MDS2 Forms: Unpacking the Gold Standard Guideline of Medical Device Security
After a long and grueling procurement process, your hospital finally receives a new supply of ventilators. Along with the devices, the vendor also sends along bundles of booklets: troubleshooting manuals, warranty information, and every Biomed and Clinical Engineer's favorite go-to doc: the device's MDS2 form.
You know you’re going to spend a lot of time with this form. After all, it’s the gold standard of guidelines for medical device security. It’s also chock-full of information about your new ventilator’s functionality: does it perform automatic logoffs or have a disaster recovery mechanism? Can it store and send PHI? Does it have default passwords, and can you change those passwords into something long and obscure that no brute-force attack in the universe could break? Check your shiny new device’s handy-dandy MDS2 form.
That’s not to say the form is the be-all-end-all of healthcare security. For all the information MDS2 forms can give you about connected medical devices, that information will always be static. It can’t tell you anything about your devices’ real behavior in a dynamic environment like your actual clinical network. That’s why it’s so important for hospital Biomed and IT security teams to use a combination of dynamic and static info when you’re building a security policy. If you don’t, what looks like a great policy on paper might very well interrupt clinical services and hurt patients.
Digging Deeper into MDS2
Static Info as the Benchmark of Sustainable Security
Even though MDS2 forms can only give you static information on devices, this information is the official jumping-off point for anyone working in healthcare security. Not only do the forms give you the basics of device security behaviors and standards, the information they provide about patching and software updates can help:
- Make better decisions at the procurement stage—see if the device complies with your hospital’s security policy and if it doesn’t, see if it can be configured to do so or plan for applying compensating controls.
- Understand manufacturer guidelines—if the device needs to be patched or updated because of vulnerabilities, can in-house security teams make the fix themselves without losing the manufacturer warranty?
- Identify 3rd-party libraries used in the device’s software—know if libraries, like IPNet, are built into the device’s software. If the device has any known vulnerabilities, like URGENT/11, you can start building a mitigation plan ahead of time.
Throwing Dynamic Information Into the Mix
Dynamic information is just as important as the static info MDS2 forms give you. Grab your MDS2 forms to get the benchmark for standard device behaviors but always monitor your live network to understand your devices’ actual behavior. In a lot of cases, actual device behaviors don’t line up with the info on MDS2 forms, but not every discrepancy is cause for alarm. That being said, if you don’t keep up with the discrepancies between static and dynamic information, you could run into some security challenges. Let’s take a look at some examples:
The Bottom Line
If you’re serious about building a sustainable cybersecurity program for your hospital, your first order of business should be getting cozy with your devices’ MDS2 forms. But it’s just as important to monitor your network so you know exactly how your devices are behaving in real time. Together, the static information from MDS2 forms and the dynamic information from your live network will give you the official 411 on your devices’ security and help keep your IT and Biomed teams synced and poised to keep your hospital cyber secure.
About Cynerio
Cynerio is the world's premier medical-first IoT cybersecurity solution. We view cybersecurity as a standard part of patient care and provide healthcare delivery organizations with the insight and tools they need to secure clinical ecosystems and achieve long-term, scalable threat remediation without disrupting operations or the delivery of care.