MDISS has created an open and collaborative innovation community dedicated to establishing improved security and safety for medical devices, associated networks, patients and critical healthcare infrastructure. The MDISS community has created a Medical Device Risk Assessment Platform (MDRAP) and associated collaborative and consensus built products and services to support healthcare technology cybersecurity and safety.
MDRAP operates as a Risk Analysis Platform. It is particularly useful for helping within the Risk Management Framework regarding:
- Audit-based assessments of initial (baseline) risk assessments for each medical device, generating a Cyber Security Framework (CSF) profile by evaluating the current risk and security controls for each medical device in a healthcare delivery organization (HDO).
- Used as the basis for a desired or "target" CSF profile and to provide an initial assessment of the potential success and impact of risk controls.
- Assisting an HDO in framing the cybersecurity risk as part of a robust multi-tiered organizational Risk Management Framework so various organization management levels have visibility into the current and planned risk, or the changes in risk due to new threats, increased vulnerabilities, or new medical devices.
The HDOs provide a comprehensive assessment of the security risks associated with their medical devices using MDRAP focusing on unique device models, key care delivery areas (e.g., Cath Lab), and key device categories (e.g., physiological monitoring devices). Risk management portfolios are established based on device type, providing:
- A standardized analysis of device risk, enabling a unified view,
- An understanding of exposure and vulnerabilities within and across departments and care contexts, and
- The ability to identify and aggregate common vulnerabilities that could be remediated collectively.
The MD-X ecosystem plays a vital role in mitigating cybersecurity risk throughout the healthcare sector through its crowdsourcing approach. The ability to have all the stakeholders leverage their individual capabilities and practice knowledge is essential to reducing the number of potential vulnerabilities through information sharing channels. Through establishment of risk management portfolios, MDRAP can help standardize across the industry risk
Crowdsourcing allows the MDRAP users to pool and share completed risk assessments for their inventories of devices to optimize resource utilization, and to gain insights on analysis, research, and operations from other stakeholders addressing the same public health challenges of medical device cybersecurity and safety. Through crowdsourcing:
- Users can create, deploy and share their completed Risk Assessment questionnaires.
- Users can create, deploy and share their own Risk Analysis Framework Models and Visualizations.
Risk Assessment Framework
MDRAP sits between the Assess and Frame portions of the NIST Special Publication (SP) 800-30 Guide for Conducting Risk Assessments process. The outputs of MDRAP's collective risk assessments across all medical devices assists HDOs in monitoring their compliance with their risk management process and their desired level of of implementation of the NIST CSF.
After MDRAP risk assessments have been completed for an organization's medical devices, the combined set of risk assessments should be used to inform mission priority and Framework profile selection. It is very important for an organization to communicate effectively about cybersecurity risks and having the capability to produce a high level summary risk assessment will improve the overall risk management plans in place throughout the manufacturer and HDO sectors. After profile implementations have been completed, MDRAP assessments can be repeated for upgraded controls, and coupled with the most current threat intelligence from MD-X. Finally, as the nature of the threat changes the current and future risk, information from medical device vulnerability information sharing sources (e.g., ICS-CERT, US-CERT, FDA, NH-ISAC, MD-VIPER) can be used to determine if current and planned controls still fit within an organization's business priorities, risk tolerance, and resource constraints.