Tuesday, September 3, 2013

Major upgrade to MDS2 to align with IEC-80001

The Healthcare community should know about the MDS2, it is a standardized form to carry 'claims' of a products security capabilities. By being a standardized form, it assures that a Healthcare organization can compare the security capabilities of a product and the vendor. By being a standardized form the vendor can answer one set of questions rather than thousands of different questions. The result should be a more thorough and consistent communications between product design and intended use, and the operational environment that deploys it.

As a document that carries claims, it is important for both vendors and providers. The claims must be accurate. As a documentation of claims the provider can hold the vendor to the claims stated. There is much worry about a self-attestation, but that worry is only made better by providers holding vendors to their stated and published claims. Moving from the old MDS2 to this new form will take some time, this will only happen if providers push for the use of the new form. The forcing function is clearly in the providers hands.

The major rewrite this time around comes from the need to align with IEC-80001. The goal of IEC-80001 is to close the gap between the product design, and the product being deployed in an operational environment. Thus IEC-80001 focuses much attention on making sure that the vendor document clearly the capabilities and concerns; so that the operational environment can know what is important to work on and how to use the capabilities of the product. IEC-80001 covers more than just security, it covers also patient safety and product effectiveness.

The new MDS2 covers the following areas:
  • Device Description
  • Management of Private Data
  • Security Capabilities
    • Automatic Logoff
    • Audit Controls
    • Authorization
    • Configuration of Security Features
    • Cyber Security Product Upgrades
    • Health Data De-Identification
    • Data Backup and Disaster Recovery
    • Emergency Access
    • Health Data Integrity and Authenticity
    • Malware Detection/Protection
    • Node Authentication
    • Person Authentication
    • Physical Locks
    • Roadmap for Third Party Components in Device Life Cycle
    • System and Application Hardening
    • Security Guidance
    • Health Data Storage Confidentiality
    • Transmission Confidentiality
    • Transmission Integrity
    • Other Security Considerations
For More:

The new MDS2 Standard is not yet available from the NEMA web site. The previous one is there with a 6/22/2012 date. The new MDS will be findable at: