MITA Puts Out New Medical Device Security Standard

The Medical Imaging & Technology Alliance (MITA) has published a new medical device security standard that offers healthcare delivery organizations (HDOs) crucial data regarding risk management and medical device security controls to secure the medical devices against suspicious access and cyberattacks.

The new voluntary standard, known as Manufacturer Disclosure Statement for Medical Device Security (MDS2) (NEMA/MITA HN 1-2019),  was created together with a varied array of industry stakeholders and adheres to the 2018 U.S. Food and Drug Administration (FDA) Medical Device Cybersecurity Playbook, released in October 2018.

The guidance clarifies that cybersecurity of medical devices is a joint accountability. HDOs should work together with medical device makers to make certain that regulations are followed. Device makers, HDOs, government agencies, and cybersecurity experts must come together to make sure that risks to medical devices are handled and lowered to fair and suitable levels.

The new standard is meant to assist in streamlining communications between HDOs and device makers, enhance the transparency of information, and make clear the functions of each regarding the reliability of medical equipment.

Principal Information Security Analyst Tim Walsh of CIS Operations, Mayo Clinic, and MDS2 Canvass Group member said that transparent data and swiftness of obtaining that information from makers to health delivery organizations are important, and this Standard aims to foster the two.

The new standard consists of information on the typical security control integrated into medical devices to make sure that they satisfy industry requirements and may be utilized safely and securely; nevertheless, it is the HDOs’ responsibility to make sure that the devices are set up properly. HDOs must evaluate medical device security controls and find out if they are appropriate, function within their own settings, and enable risk to be efficiently controlled and handled.

There were worksheets made for evaluating the capabilities and security functions of each medical device, such as the specifications, the administration of personally identifiable information, authorization controls, audit controls, data backup and disaster recovery capabilities, anti-malware protections, data integrity controls, connectivity, node authentication, protection guidance, how cybersecurity improvements will be carried out all through the device lifecycle, and other major information for HDOs.

Medical device makers ought to finish the worksheets to give HDOs the technical details they will need to carry out their own security threat assessments and create their security risk management programs.

Although the MDS2 form includes essential technical data on medical devices, MITA said that it’s not meant to be utilized as the only basis for medical device procurement, as creating medical device procurement requirements needs more substantial knowledge of an HDO’s security environment and healthcare vision.

The data on the MDS2 form should be mixed with comprehensive information gathered regarding the care delivery environment in which the devices will be used. Tools like ECRI’s Guide for Information Security for Biomedical Technology are helpful in this respect.