After a long and grueling procurement process, your hospital finally receives a new supply of ventilators. Along with the devices, the vendor also sends along bundles of booklets: troubleshooting manuals, warranty information, and every Biomed and Clinical Engineer's favorite go-to doc: the device's MDS2 form.
You know you’re going to spend a lot of time with this form. After all, it’s the gold standard of guidelines for medical device security. It’s also chock-full of information about your new ventilator’s functionality: does it perform automatic logoffs or have a disaster recovery mechanism? Can it store and send PHI? Does it have default passwords, and can you change those passwords into something long and obscure that no brute-force attack in the universe could break? Check your shiny new device’s handy-dandy MDS2 form.
That’s not to say the form is the be-all-end-all of healthcare security. For all the information MDS2 forms can give you about connected medical devices, that information will always be static. It can’t tell you anything about your devices’ real behavior in a dynamic environment like your actual clinical network. That’s why it’s so important for hospital Biomed and IT security teams to use a combination of dynamic and static info when you’re building a security policy. If you don’t, what looks like a great policy on paper might very well interrupt clinical services and hurt patients.
Even though MDS2 forms can only give you static information on devices, this information is the official jumping-off point for anyone working in healthcare security. Not only do the forms give you the basics of device security behaviors and standards, the information they provide about patching and software updates can help:
Dynamic information is just as important as the static info MDS2 forms give you. Grab your MDS2 forms to get the benchmark for standard device behaviors but always monitor your live network to understand your devices’ actual behavior. In a lot of cases, actual device behaviors don’t line up with the info on MDS2 forms, but not every discrepancy is cause for alarm. That being said, if you don’t keep up with the discrepancies between static and dynamic information, you could run into some security challenges. Let’s take a look at some examples:
If you’re serious about building a sustainable cybersecurity program for your hospital, your first order of business should be getting cozy with your devices’ MDS2 forms. But it’s just as important to monitor your network so you know exactly how your devices are behaving in real time. Together, the static information from MDS2 forms and the dynamic information from your live network will give you the official 411 on your devices’ security and help keep your IT and Biomed teams synced and poised to keep your hospital cyber secure.
Cynerio is the world's premier medical-first IoT cybersecurity solution. We view cybersecurity as a standard part of patient care and provide healthcare delivery organizations with the insight and tools they need to secure clinical ecosystems and achieve long-term, scalable threat remediation without disrupting operations or the delivery of care.