medical devices and systems that maintain or transmit ePHI. A standardized form allows manufacturers to quickly
respond to a potentially large volume of requests from providers for information regarding the security-related features of
the medical devices they manufacture. The standardized form also facilitates the providers’ review of the large volume of
security-related information supplied by the manufacturers. This form was adapted from portions of the ACCE/ECRI
Biomedical Equipment Survey Form, a key tool found in Information Security for Biomedical Technology: A HIPAA
Compliance Guide (ACCE/ECRI, 2004). HIMSS recommends that the information in the MDS2 be used to help complete the ACCE/ECRI form and associated processes as part of each organization’s HIPAA Security compliance efforts.
The manufacturer-completed MDS2 should:
(1) Be useful to healthcare provider organizations worldwide.
While the form does supply information important to providers who must comply with the HIPAA Security Rule, the
information presented is intended to be useful for any healthcare provider who aspires to have an effective information
security and risk management program. Outside the US, providers would therefore find the MDS2 an effective tool in
addressing such regional regulations as EC 95/46, HPB 517, and PIPEDA.2
(2) Include device-specific information addressing the technical security-related attributes of the individual device model.
This completed MDS2 form provides a simple, flexible way of collecting the technical, device-specific elements of the total
risk assessments. Providers around the world should find a completed MDS2 form useful in controlling information
security (i.e., confidentiality, integrity, and availability) risks. Note, however, that the MDS2 is not intended and should not
be used as a basis for medical device procurement. Writing procurement specifications requires a deeper and more
extensive knowledge of security and the provider’s mission.
Using the information provided by the manufacturer in the MDS2 combined with information collected about the care
delivery environment (e.g., through tools like ACCE / ECRI’s guide for Information Security for Biomedical Technology),
the provider’s multidisciplinary risk assessment team can review assembled information and make informed decisions on
implementing a local security management plan.
The Role of Healthcare Providers and Medical Device Manufacturers in the Security Management Process Responsibility for effective security management must ultimately lie with the provider organization. Generally the device
manufacturers can assist providers in their security management programs by offering information associated with
the type of data maintained / transmitted by the manufacturer’s device or system
how data is maintained / transmitted by the manufacturer’s device or system
any security–related features incorporated in the manufacturer’s device or system
1 As defined by HIPAA Security Rule, 45 CFR Part 164.
2 EC 95/46 is the European Parliament and Council’s Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement ofSuch Data ,
HPB 517 is the Japanese Electronic Storage of Clinical Records law ; and
PIPEDA is the Canadian Personal Information Protection and Electronic Documents Act.
In order to effectively manage medical information security and comply with relevant regulations, healthcare providers
must employ administrative, physical and technical safeguards, most of which (other than some technical safeguards)
must be adopted and employed on-site extrinsic to the actual device. Other than some general recommendations with
regard to medical devices:
there are few ADMINISTRATIVE safeguards manufacturers can address beyond providing assistancein security
there are few PHYSICAL safeguards manufacturers can address beyond incorporating physical security features
(e.g., component lock & key, theft/intrusion alarms) in their devices
The greatest impact manufacturers can have on medical device security is to incorporate TECHNICAL Safeguards (i.e.,
meeting any relevant regulations. The medical device manufacturing industry is increasingly aware of the importance of
having effective security features in their devices and systems. Manufacturers are generally including such features in the
production of new devices and systems based provider needs and requirements.
Instructions for Obtaining and Using the MDS2
Information provided on the MDS2 is intended to assist professionals knowledgeable in security and risk assessment
processes in their management of medical device security issues. The information on the MDS2 is not intended and may
be inappropriate for any other purpose.
Completed MDS2 forms for many devices and systems may be available directly from the device manufacturer. Check
the manufacturer’s web site first for relevant forms and, when not available there, contact a manufacturer’s representative
to request a MDS2 for the appropriate device(s)/system(s). If a manufacturer does not have a completed MDS2 for the
appropriate device(s)/system(s), enter the device category, manufacturer and model information in the appropriate boxes
on the top of a blank form3 and submit the form(s) and these instructions to the manufacturer’s compliance office for their
Note that HIMSS suggests that a standard naming convention be used for the device category terms and manufacturer
names listed on the form. This assists providers in matching information from the form to their equipment inventories.
ECRI’s Universal Medical Device Nomenclature System (UMDNS) is the most widely used. Adopted by thousands of
healthcare providers worldwide, UMDNS has been adopted by the National Library of Medicine into its Universal Medical
Language System, and has been recommended by the Institute of Medicine for inclusion in the US Department of Health
and Human Services (HHS) National Committee on Vital and Health Statistics (NCVHS) core terminology group. For
more information about UMDNS contact ECRI at www.ecri.org.
Side 1 of the MDS2 contains descriptive information on the type of data maintained/transmitted by device, how the data is
maintained/transmitted, and any security–related features incorporated in the device. Side 2 contains manufactureroptional
recommended security practices and space for numbered explanatory notes that may expand on answers to
questions 1 through 19. Manufacturers may elect to attach supplementary material if additional space for recommended
practices or explanatory notes is necessary.
Maintaining ePHI includes storage on an internal disk, removable media, short-term computer memory, etc. Transmitting ePHI includes receiving/sending external to the device via network, telephone, direct connect cable, removable media, etc.
The four sections of this question relate directly to the 18 data elements referred to in HIPAA, any of which, if present, render the entire electronically transmitted/maintained data set as ePHI. The 18 data elements included in the Rule are:
• Geographic data (e.g., address)
• Dates (e.g., date of birth, admission, discharge, death, treatment)
The open, unstructured text question (2d) is intended to indicate an additional element where a provider might put
further identifying information.
Here the manufacturer provides more detail on how ePHI is maintained. Note that a fully networked device is likely to have all three items with a ‘Yes’ response.
Persistently on local media refers to media created or directly attached to the device under consideration (e.g., MR Scanner, 3-D workstation), not a remote archive.
Import/export ePHI refers to data that is sourced or destined to remote storage devices (e.g., an MR scanner that relies on an image server in a PACS system).
Import and export refer to movement of information via published open protocols to devices outside of the medical device under consideration (e.g., medical information bus (IEEE 1073), serial port, and published protocol that allows general access to ePHI). Dedicated cable here refers to communication via a point to point cable to a device or system outside of the device under consideration.
This question includes either explicit security training or explicit sections of administrator or user manuals that detail the device security features and their use.
This question identifies the underlying 3rd party system software platform (operating system) name or indicates if there is no 3rd party platform (i.e., proprietary system created for this manufacturer alone).
Refers to the typical installation of the manufacturer's device.
Refers to an integrated feature that supports information backup onto removable media (e.g., optical disk, magnetic disk, tape).
Identifies whether it is possible to start the device with software from any source other than the manufacturer's normal startup device (e.g., an integral hard disk or ROM).
Does the device allow, through root access, administrative privilege, or other non-intrusive method, a local user and/or IT staff to install software not provided and not explicitly authorized by the manufacturer (e.g., email client, office applications, virus scanner, browsers, games)?
Remote service refers to device maintenance activities performed by a service person via network or other remote connection.
Level of owner/operator access to device operating system. Here the manufacturer details what is technically possible if the device owner (generally the healthcare provider) has the technical ability to install security controls on the medical device under consideration. A MANUFACTURER ANSWERING ‘YES’ TO ANY OF THESE QUESTIONS DOES NOT MEAN THAT THE MANUFACTURER AUTHORIZES THE OWNER TO PERFORM THESE FUNCTIONS. THE OWNER ASSUMES ALL RESPONSIBILITY FOR UNAUTHORIZED INSTALLATION or REPAIRS. UNAUTHORIZED INSTALLATION or REPAIRS MAY VOID APPLICABLE WARRANTIES AND SERVICE AGREEMENTS. Authorization to perform these security-related services or changes to a medical device should be obtained in writing from the device manufacturer. Unauthorized changes to a medical device may remove it from government regulatory controls (e.g., FDA) and render the device an experimental medical device.
Controlled viewing refers to operations that have to do with the display, printing, or other use of ePHI (e.g.,image display, record print-out).
Creation, modification, or deletion would mean that all these events are tracked in the log file.
Export or transmittal refers to the movement of ePHI outside of the device under consideration.
Emergency access features allow operators emergency access to the device in cases where the normal authentication cannot be successfully completed or is not working properly.
Physically secure connection is a cabling system that is not accessible to the general public. (i.e., it is in a physically controlled space such as examining rooms, communication closets, or building plenum).
Fixed list is an explicit mechanism that limits the connections and nature of connections on a per-device basis.
Ensure integrity refers to methods that can detect and/or correct differences between the source makeup of an ePHI message and the ePHI message received by an external device. Is such a method available for use as part of the device under consideration (either in transmission or receipt of ePHI)?
This document is intended to assist healthcare providers in meeting their regulatory obligations regarding medical device
security. It is the obligation of the users of this document (e.g., the healthcare provider) to employ all necessary and
appropriate safeguards to meet their regulatory and organizational requirements. HIMSS does not assume any
responsibility for the application or the content of this form.