The Manufacturer Disclosure Statement for Medical Device Security, generally abbreviated MDS2 (or MDS²), gives healthcare providers important cybersecurity information so they can evaluate the security capabilities of their devices or compare new devices when making product selections. The MDS2 form is a manufacturer-completed document provided to healthcare organizations upon request. 

The first version was published in 2004 and expanded in 2019 to cover more ground. The MDS2 form provides invaluable information about a device’s capabilities and internal configuration, including:

• How can the device be patched? Does it require physical access, or can updates be provided remotely? Can the operator install patches on their own, or does everything have to go through the vendor?
• Does the device store or transmit Protected Health Information (PHI)? If so, what measures does it take to keep such information secure?
• Does the device have anti-malware software? If not, can it be installed by the operator?

In many cases, the MDS2 form is the best or the only way to discern aspects of the device that have a serious impact on its risk and on how to best handle any issues that arise during operation, such as a vulnerability or network anomaly.

How Operationalizing the MDS2 Form

Many healthcare organizations find consuming the raw MDS2 form quite daunting, with answers to hundreds of questions across dozens of topic areas. Furthermore, the questions often lack context around why they are important and in which circumstances they are relevant.

Thankfully, with Asimily, healthcare organizations can receive all the benefits that analysis of the MDS2 provides with no work on their part. That’s because Asimily takes the lead in collecting and analyzing The manufacturer disclosure data, with the largest repository of MDS2s in the industry. But collecting the MDS2 isn’t enough: Asimily digitizes the form, and incorporates the data into all parts of the HDO’s workflow:

• The exploitability of a potential vulnerability, as expressed by Insight’s Likelihood score, can be reduced by mitigations that may exist on the device.
• The impact on the healthcare organization that a breach could cause is also affected by information contained in the form, for example, if a device stores PHI without encryption.
• The MDS2 form can inform the mitigation recommendations that Insight provides, as specific mitigations may require the device to support a particular configuration.
• Finally, the manufacturer disclosure data is useful when conducting a pre-procurement risk analysis, which Asimily enables with the ProSecure module.

How Asimily Uses MDS2s

With Asimily Insight, healthcare organizations can view a digitized version of the MDS2 when viewing the details of any device on their network.

Since it can be quite difficult to understand how these answers practically impact an organization’s security, Asimily assigns a score to each answer. These scores are then aggregated together and are one of the sources feeding into Insight’s “Likelihood” calculation, which measures the probability of successful exploitation.

Insight uses the section on “Management of Personally Identifiable Information” as part of its Data Impact calculation, since the ability of an attacker to exfiltrate PHI from a compromised device is greatly impacted by how said PHI is stored and transmitted, and by how it is protected on the device.

Asimily ProSecure uses the information from the MDS2 form as one of the factors to generate risk reports for devices that organizations are considering for procurement. Since it can be a challenge for organizations to collect manufacturer disclosure data from each vendor for all the devices they are considering, ProSecure acts as both a source of MDS2 data and a platform for integrating the data into a holistic process of evaluating the security of a device before it is connected to the network.

Asimily has a large collection of MDS2s – currently over 1200 MDS2s and growing every day. Furthermore, customers can submit their manufacturer disclosure data that they receive from vendors or other sources; they are automatically processed and treated the same as MDS2s that are first-party collected. As Software Bills of Materials (SBOMs) become widely available, Asimily is integrating the information contained in them into different modules.

The MDS2 form provides invaluable information when evaluating the security of a medical device, whether it is already deployed or being evaluated for purchase. When choosing an IoMT cybersecurity solution, it’s important to understand not just the number of MDS2s it has but also how deeply the data from the form is integrated into the rest of the solution. After all, information is only useful when it is put to use.

Where the Industry Must Go

Leveraging only technological solutions, or relying heavily on a single technical approach like manufacturer disclosure data analysis, will ultimately be insufficient, leaving gaps in healthcare organizations’ security posture. healthcare organizations should instead use a layered approach to defending their environments from bad actors. 

Asimily gathers and digitizes MDS2 and SBOM information into all aspects of our  IoMT risk remediation platform workflow, including pre-procurement risk analysis. This enables healthcare organizations to systematically drive real risk reduction in their environment while promoting operational efficiency for all their critical devices.

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.