by John R. Fischer
, Senior Reporter | October 15, 2019
MITA has released a new standard that calls for
manufacturers to share with healthcare delivery
organizations standardized information on
security control features within
The Medical Imaging & Technology Alliance (MITA) has released a new standard geared toward supporting security risk management within healthcare delivery organizations.
Named NEMA/MITA HN 1-2019, Manufacturer Disclosure Statement for Medical Device Security
(MDS2), the voluntary standard calls for manufacturers to be more transparent with healthcare delivery organizations by offering standardized information on security control features integrated within medical devices.
“Cybersecurity is about managing risk, and risk management is most effective when information is available. The information shared by manufacturers in the MDS2 is intended to help healthcare delivery organizations assess risks and make informed decisions about how to deploy devices in their environment,” Zack Hornberger, director of cybersecurity and informatics at MITA, told HCB News. “All the information shared by manufacturers in the MDS2 can help a healthcare delivery organization better protect their environment.”
Cybersecurity was ranked as number one
in ECRI Institute’s list of Top 10 Health Technology Hazards for 2019 report last year, marking its second year as the top hazard. In addition, a recent survey conducted by LexisNexis Risk Solutions and Information Security Media Group demonstrates that HCOs have high levels of confidence
in their cybersecurity preparedness despite most surveyed organizations using only basic user authentication methods against an increasing number of patient identity theft and fraud instances in the marketplace.
MDS2 was developed by MITA and a diverse group of interested parties. It includes a form to provide healthcare delivery organizations with crucial information and security control features within their devices, and defines the roles of manufacturers and healthcare delivery organizations.
It also refers to medical device security as a shared responsibility. It is this view on shared responsibility that aligns the standard with the position of the FDA, which released in October 2018 a "playbook" for instructing providers
how to form individual emergency response plans to address threats to medical device cybersecurity. In it, the FDA states that manufacturers, hospitals, health care providers, cybersecurity researchers, and government entities are all responsible for ensuring the protection of their devices.
"Both healthcare facilities and medical device manufacturers recognize cybersecurity as a key business consideration and a fundamental patient safety issue," Sean Loughlin, AAMI vice president of communications and marketing, told HCB News at the time. "We have also seen a large increase in healthcare technology management professionals working collaboratively with information technology departments to institute safeguards at their local institutions. Preparedness is moving in the right direction, but its success really hinges on leadership, expertise, and resources at any given organization."
MITA plans to work with its partners to properly implement MDS2 over the next several months.