The Medical Imaging and Technology Alliance (MITA) recently published a cybersecurity and risk management guidance for medical devices in an attempt to direct healthcare providers on how to deal with device related issues. It acts as a voluntary guide and outlines security features that have been integrated into medical devices. The standard, called the Manufacturer Disclosure Statement for Medical Device Security (MDS2), was developed by and with industry stakeholders in mind.
Users can benefit from MITA's detailed description of device features and capabilities. They can also gain an understanding of the roles they, as healthcare providers, must play and the responsibilities manufacturers have in securing medical devices. According to the guide, manufacturers must "ensure the devices they place on the market include industry-standard security controls to enable safe and secure operation." This assists healthcare providers in fulfilling their responsibilities towards medical device security operations within their organizations.
One of the more practical things that MITA has introduced to help both manufacturers and organizations alike is a data sheet that the former can complete. Manufacturers can detail in it all their devices' security features, including audit controls, authorization controls, data backup and disaster recovery functions and much more. Such information can guide organizations in their performance of risk assessments and their development of effective cybersecurity risk management programs.
MITA's standard aims to fill in some of the blanks and increase transparency in the healthcare industry. It promotes communication, cooperation and understanding between all stakeholders involved in the security of medical devices. This includes manufacturers, healthcare providers, government agencies, and cybersecurity researchers.
Nonetheless, the authors stress that before using it, healthcare providers must identify the most suitable security controls for their devices by assessing their security, performance, operational environment and other relevant factors. Additionally, the guidance cannot stand alone, rather it should be used concurrently with other existing information, laws and regulations regarding the delivery of secure care.
Standards such as this one are what improve cybersecurity in healthcare organizations. Research conducted by the Department of Veteran Affairs and UL research revealed that guidance, testing and certifications improve medical device security. This is because as technology evolves and the healthcare industry gains a better understanding of cybersecurity, stakeholders begin looking to standards to guide their device procurement process and secure their new tech.