User:Tonybrns/MDS2

'''

MDS2
'''

  Introduction ''' '''

With the increased focus on medical device security and compliance with the HIPAA Security Rule of 2003, the HIMSS Medical Device Security Workgroup has created a standard Manufacturer Disclosure Statement for Medical Device Security (MDS2). The intent of a MDS2 is to furnish healthcare providers with significant information that can assist in assessing the vulnerability and risks associated with electronic Protected Health Information (ePHI) transmitted or maintained by medical devices. Security risk assessment is a broad organization-wide effort, the MDS2 document focuses on only those aspects of the risk assessment process related to medical devices and systems that maintain or transmit ePHI.

The standardized MDS2 form serves the following purposes:
 * allows manufacturers to quickly respond to a potentially large volume of requests from providers for information regarding the security-related features of the medical devices they manufacture.
 * allows manufacturers to quickly respond to a potentially large volume of requests from providers for information regarding the security-related features of the medical devices they manufacture.


 * The standardized form also simplifies utilizes portions of the ACCE/ECRI Biomedical Equipment Survey Form, a key tool found in Information Security for Biomedical TechnologyA HIPAA Compliance Guide (ACCE/ECRI, 2004)..


 * HIMSS recommends that the information in the MDS2 be used to help complete the ACCE/ECRI form and related practices as part of each company's HIPAA Security compliance efforts.

 Guidance: 

(1)Should be beneficial to healthcare provider stakeholders worldwide. While the form does supply information important to providers who must comply with the HIPAA Security Rule, the given purpose of the information is for healthcare provider who aspires to have an effective information security and risk management program. Outside the US, providers would therefore find the MDS2 an effective tool in addressing such regional regulations as EC 95/46, HPB 517 (Japan), and PIPEDA.

(2) Include device-specific information addressing the technical security-related attributes of the individual device model. This completed MDS2 form provides a simple, flexible way of collecting the technical, device-specific elements of the total information needed by healthcare provider organizations (device users/operators) in preparing for their first round of medical device risk assessments. Providers around the world should find a completed MDS2 form useful in controlling information security (i.e., confidentiality, integrity, and availability) risks. Note, however, that the MDS2 is not intended and should not be used as a basis for medical device procurement. Writing procurement specifications requires a deeper and more extensive knowledge of security and the provider’s mission. Using the information provided by the manufacturer in the MDS2 combined with information collected about the care delivery environment (e.g., through tools like ACCE / ECRI’s guide for Information Security for Biomedical Technology), the provider’s multidisciplinary risk assessment team can review assembled information and make informed decisions on implementing a local security management plan.

The Role of Healthcare Providers and Medical Device Manufacturers in the Security Management Process Responsibility for effective security management must ultimately lie with the provider organization. Generally the device manufacturers can assist providers in their security management programs by offering information associated with:

• the type of data maintained / transmitted by the manufacturer’s device or system

• how data is maintained / transmitted by the manufacturer’s device or system

• any security–related features incorporated in the manufacturer’s device or system

In order to effectively manage medical information security and comply with relevant regulations, healthcare providers must employ administrative, physical and technical safeguards, most of which (other than some technical safeguards) must be adopted and employed on-site extrinsic to the actual device. Other than some general recommendations with regard to medical devices the following should be considered:

• there are few ADMINISTRATIVE safeguards manufacturers can address beyond providing assistance in security training • there are few PHYSICAL safeguards manufacturers can address beyond incorporating physical security features (e.g., component lock & key, theft/intrusion alarms) in their devices

The greatest impact manufacturers can have on medical device security is to incorporate TECHNICAL Safeguards (i.e., security features) in devices to facilitate healthcare provider's efforts in maintaining an effective security program and to meet relevant regulations. The medical device manufacturing industry is increasingly aware of the importance of having effective security features in their devices and systems. Manufacturers generally include such features in the production of new devices and systems based provider needs and requirements.

Instructions for Obtaining and Using MDS2 Information provided on the MDS2 is intended to assist professionals knowledgeable in security and risk assessment processes in management of medical device security issues. The information on the MDS2 is not intended and may be inappropriate for any other purpose.

Completed MDS2 forms for many devices and systems may be available directly from the device manufacturer. Check the manufacturer’s web site first for relevant forms if they are not available on line; and, when not available there, contact a manufacturer’s representative to request a MDS2 for the appropriate device(s)/system(s). If a manufacturer does not have a completed MDS2 for the appropriate device(s)/system(s), enter the device category, manufacturer and model information in the appropriate boxes on the top of a blank form3 and submit the form(s) and these instructions to the manufacturer’s compliance office for their completion.

Note that HIMSS suggests that a standard naming convention be used for device category terms and manufacturer names listed on the form. This assists providers in matching information from the form to their equipment inventories. ECRI’s Universal Medical Device Nomenclature System (UMDNS) is the most widely used. Adopted by thousands of healthcare providers worldwide, UMDNS has been adopted by the National Library of Medicine into its Universal Medical Language System, and has been recommended by the Institute of Medicine for inclusion in the US Department of Health and Human Services (HHS) National Committee on Vital and Health Statistics (NCVHS) core terminology group. For more information about UMDNS contact ECRI at www.ecri.org.

Side 1 of the MDS2 contains descriptive information on the type of data

maintained/transmitted by device, how the data is maintained/transmitted,

and any security–related features incorporated in the device.

Side 2 contains manufacturer- optional recommended security practices and space for numbered explanatory notes that may expand on answers to questions 1 through 19. Manufacturers may elect to attach supplementary material if additional space for recommended practices or explanatory notes is necessary.