IEEE Access (Jan 2024)

A Novel Approach to Medical Device IT Security Landscape Analysis Leveraging Manufacturer Disclosure Statements

  • Stefan Stein,
  • Simon Weber,
  • Michael Pilgermann,
  • Thomas Schrader,
  • Martin Sedlmayr

DOI
https://doi.org/10.1109/ACCESS.2024.3487824
Journal volume & issue
Vol. 12
pp. 160506 – 160515

Abstract

Read online

The growing number of cyberattacks targeting the healthcare sector increasingly threatens network-enabled medical devices that are vital for life-sustaining patient care. Security researchers and healthcare IT managers are pursuing effective methods to assess the IT security landscape of medical devices. Their goal is to develop a comprehensive understanding of the devices’ IT security status. Recent studies have successfully uncovered structural deficiencies in medical device security. However, the limitations of their data sources, particularly in evaluating features like logging capabilities and third-party libraries, restrict the scope of their findings. In this study, we present the first systematic analysis of Manufacturer Disclosure Statement for Medical Device Security (MDS2) documents to evaluate their use in creating holistic statements regarding the IT security posture of medical devices. We examined a total of 147 MDS2 documents encompassing devices from 105 different classes. Our findings indicate that MDS2 documents, especially those from the second version (2013) onwards, are suitable for this purpose. We also discuss the shortcomings of the latest MDS2 version in meeting current IT security requirements. Based on the gaps identified, we developed several recommendations to improve MDS2 documents and enhance their effectiveness across the global healthcare sector. In the future, these documents could be used not only for comprehensive landscape analyses but also for organization-specific reports, providing healthcare managers with direct insights into the IT security status within their institutions.

Keywords