Author: Jeremy Linden, Sr. Director of Product Management, Asimily
The Manufacturer Disclosure Statement for Medical Device Security, generally abbreviated MDS2 (or MDS²), gives healthcare providers important cybersecurity information so they can evaluate the security capabilities of their devices. The MDS2 form is manufacturer-completed and provided to HDOs upon request. With the first version published in 2004, the MDS2 form has expanded to cover more ground at every iteration; the most recent version is from 2019. The form provides invaluable information about a device’s capabilities and internal configuration, such as:
- How can the device be patched? Does it require physical access, or can updates be provided remotely? Can the operator install patches on their own, or does everything have to go through the vendor?
- Does the device store or transmit Protected Health Information (PHI)? If so, what measures does it take to keep such information secure?
- Does the device have anti-malware software? If not, can it be installed by the operator?
In many cases, the MDS2 form is the best, or the only, way to discern aspects of the device that have a serious impact on its risk and on how to best handle any issues that arise during operation, such as a vulnerability or network anomaly.
Operationalizing the MDS2 Form
Many HDOs find consuming the raw MDS2 form itself quite daunting, with answers to hundreds of questions across dozens of topic areas. Furthermore, the questions often lack context around why they are important and in which circumstances they are relevant.
Thankfully, with Asimily, HDOs can receive all the benefits that analysis of the MDS2 provides with no work on their part. That’s because Asimily takes the lead in collecting and analyzing MDS2 data, with the largest repository of MDS2s in the industry. But collecting the MDS2 isn’t enough: Asimily digitizes the form, and incorporates the data into all parts of the HDO’s workflow:
- The exploitability of a potential vulnerability, as expressed by Insight’s Likelihood score, can be reduced by mitigations that may exist on the device.
- The impact on the HDO that a breach could cause is also affected by information contained in the form, for example if a device stores PHI without encryption.
- The MDS2 form can inform the mitigation recommendations that Insight provides, as specific mitigations may require the device to support a particular configuration.
- Finally, the MDS2 data is useful when conducting pre-procurement risk analysis, which Asimily enables with the ProSecure module.
How Asimily Uses MDS2s
With Asimily Insight, HDOs can view a digitized version of the MDS2 when viewing the details of any device on their network.
Since it can be quite difficult to understand how these answers practically impact an organization’s security, Asimily assigns a score to each answer. These scores are then aggregated together and are one of the sources feeding into Insight’s “Likelihood” calculation, which measures the probability of successful exploitation.
Insight uses the section on “Management of Personally Identifiable Information” as part of its Data Impact calculation, since the ability of an attacker to exfiltrate PHI from a compromised device is greatly impacted by how said PHI is stored and transmitted, and by how it is protected on the device.
Asimily ProSecure uses the information from the MDS2 form as one of the factors to generate risk reports for devices that organizations are considering for procurement. Since it can be a challenge for organizations to collect MDS2s from each vendor for all the devices they are considering, ProSecure acts as both a source of MDS2 data and a platform for integrating the data into a holistic process of evaluating the security of a device before it is connected to the network.
Asimily has a large collection of MDS2s, with over 1200 MDS2s, and growing every day. Furthermore, customers can submit their own MDS2s that they receive from vendors or other sources; they are automatically processed and treated the same as MDS2s that are first-party collected. And as Software Bills of Materials (SBOMs) become widely available, Asimily is integrating the information contained in them into different modules.
The MDS2 form provides invaluable information when evaluating the security of a medical device, whether it is already deployed or being evaluated for purchase. When choosing an IoMT cybersecurity solution, it’s important to understand not just the number of MDS2s it has, but also how deeply the data from the form is integrated into the rest of the solution. After all, information is only useful when it is put to use.
Where the Industry Must Go
Leveraging only technological solutions, or relying heavily on a single technical approach like MDS2 analysis, will ultimately be insufficient, leaving gaps in HDOs’ security posture. HDOs should instead use a layered approach to defending their environments from bad actors. Asimily’s incorporation of MDS2 and SBOM information into its passive IoMT risk remediation platform allows HDOs to leverage the valuable information contained within, while integrating it into a defense in depth strategy. This enables them to systematically drive real risk reduction in their environment while promoting operational efficiency for all their critical devices.