The Medical Imaging & Technology Alliance (MITA) published NEMA/MITA HN 1-2019, Manufacturer Disclosure Statement for Medical Device Security (MDS2), a voluntary standard that supports security risk management within healthcare delivery organizations by providing standardized information on security control features integrated within medical devices.

Development of the standard was led by MITA in conjunction with a diverse group of interested parties. It includes a form intended to provide healthcare delivery organizations with crucial information and security control features within medical devices. It also clarifies the roles of manufacturers and healthcare delivery organizations in ensuring secure medical devices.

The shared responsibility recognized by this standard aligns with the position of the U.S. Food and Drug Administration, which released a preparedness and response playbook to help organizations address threats to medical device cybersecurity.

Cybersecurity vulnerabilities

The U.S. Food and Drug Administration (FDA) is warning about vulnerabilities that may introduce risks for certain medical devices and hospital networks. A security firm has identified 11 vulnerabilities, URGENT/11, that may allow anyone to remotely control a medical device, change its function, interrupt service, or cause information leaks or logical flaws.

These vulnerabilities exist in IPnet, a third-party software component supporting network communications between computers. Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support. Therefore, the software may be incorporated into other software applications, equipment, and systems which used current medical and industrial devices.

Medical device manufacturers are actively assessing which devices using these operating systems are affected, identifying risk and remediation actions. FDA officials expect additional medical devices will be identified.