Answer: The Medical Device Innovation, Safety and Security Consortium (MDISS) founded in 2011, is a non-profit public health initiative and patient safety organization focused on medical device cybersecurity. MDISS also helps its member organizations by providing a forum for sharing expertise in practical technology, operations and policy solutions, with the goal of contributing substantially to improved safety of connected medical devices.
MDISS was the first organization dedicated to specifically addressing these important medical device cyber health challenges.
MDISS members bring deep expertise and understanding of technical vulnerabilities to bear on the complex. In addition, MDISS programs also support the development of epidemiologic methods, regulatory science and a public-private partnership model for public health interventions.
Answer: MDISS’ mission is to protect public health and well-being by advancing computer risk management practices to ensure wide availability of innovative and safe medical devices through collaborative innovation activities with providers, payers, manufacturers, universities, government agencies, technology companies, individuals, patients, patient advocates and associations.
As a 501(c)3 non-profit public health and patient safety organization, MDISS is focused on medical device cybersecurity. Our primary purpose is to help member organizations develop practical technologies, practices and policy solutions for making connected medical devices safer and more secure. We do this by:
• Applying deep expertise in identifying and mitigating technical vulnerabilities
• Promoting effective standards and regulations
• Focusing on patient-centered security
Answer: MDISS Membership offers multiple engagement levels:
• Leadership Council Membership is open to a variety of organizations, including:
o Large medical device manufacturers
o Large technology and consulting firms in the medical device arena
o Insurance companies
o Trade associations and other non-profit groups serving the medical device community, including advocacy and lobbying groups
• Working Group Council Membership is open to small and medium device manufacturers and technology firms.
• Start-Up Membership is open to new medical device and healthcare software companies with less than $25M in funding.
• Health Delivery Organizations (HDOs) and hospital networks are eligible for membership. There are two levels of HDO membership:
o Basic HDO membership is free and includes access to MDRAP
o HDO Enhanced membership provides members with additional benefits and services on a fee-based plan
Answer: MDISS does not currently offer personal memberships. If you are an individual in the Medical Device arena who is interested in exploring membership in MDISS, please contact Don Rahtjen, Director of Partner Engagement, at don.rahtjen@mdiss.org for information about the level of MDISS membership that may best suit your needs.
Answer: Any membership in MDISS runs for 12 months from the date of initial acceptance and is renewable in 12 month increments thereafter.
Answer: MDISS offers a variety of benefits to our members. Benefits include helping member organizations develop practical technologies, practices and policy solutions for making connected medical devices safer and more secure. Additionally, MDISS provides opportunities to collaborate, engage and lead the development and awareness in this space.
Below is a list of prospective membership benefits. While representative, this list is subject to change and is not to be considered comprehensive. Current membership benefits will be detailed in each member’s formal Membership Agreement.
• Access to MDRAP, the crowdsourced and expert-vetted medical device security evaluation and reporting platform from MDISS. MDRAP catalogs risk profiles and real-world performance data for thousands of different medical devices around the world.
• Access to the MDISS DATA COMMONS, our growing database of medical devices, vulnerabilities, mitigations and best practices.
• Admission to regular MDISS working group sessions.
• Admission to steering group strategy sessions.
• Speaking slots at MDISS-hosted events.
• Complimentary Tickets to MDISS events requiring a registration fee.
• MDISS members get preferred access to WHISTL™ labs all over the world. This network of labs not only enables healthcare providers to verify and validate the control claims of medical device manufacturers but to identify, validate and share control practices across the community. (WHISTL™) facilities are federated network of medical device security testing labs, independently owned and operated by MDISS-member organizations. The goal is to help organizations work together to more effectively address the public health challenges arising from cyber security issues emergent in complex, multi-vendor networks of medical devices.
• Promotion on MDISS Website as a LEADERSHIP organization, MDISS quotes for your press releases, and support for a joint press release announcing your Leadership stake in MDISS. MDISS will syndicate your blog posts and whitepapers as desired in MDISS blogs and social media.
Answer: MDISS promotes its mission and goals in a variety of ways, including:
• Advocacy
o MDISS National Cyber Safety Network
o This is a new initiative based on the CDC’s National Health Safety Network (NHSN); it aims to leverage public/private partnerships with federal agencies, state and local public health officials, academics and researchers, and the rest of the stakeholder community to create better patient outcomes. This is complex and long term, but closely mirrors the mission of MDISS overall. If you’re interested in joining the discussion, send a note to our Executive Director, Dale Nordenberg at dale.nordenberg@mdiss.org.
o MDISS Indemnification initiative works directly with State and Local governments to advance medical device security initiatives leveraging existing, traditional public health best practices they already understand – and fund.
• Medicalizing Standards
o IEC 62443-4 is the international security best practices standard for vendors of industrial control systems with clear utility for medical device networks. The ISA99 Committee named MDISS as the official liaison to IEC 62443-4 responsible for “medicalizing” the standard.
• University Alliances
o MDISS partners with major Universities and academicians around the country to connect researchers to their counterparts on the front lines of business and healthcare. University faculty and students get special discounts on MDISS programs and memberships, and MDISS member companies benefit from personal introductions to relevant scientists and researchers.
Answer: MDRAP ( Medical Device Risk Assessment Platform) is MDISS’s cyber risk assessment and data sharing platform. Results are dynamic and easy to collate. Crowdsourced from vetted Healthcare Technology professionals, MDRAP™ generates a new kind of medical device security profile – one that is easy to complete, clear, concise, and – most importantly – actionable.
The MDRAP assessment tool is anchored in the MDS2, which is a good starting point for understanding the controls that are available for or applicable to the technology of interest. MDRAP provides functionality to compare devices from a control feature basis on the procurement side and helps identify control gaps and prioritize remediation for existing inventory. By maximizing the implemented controls as new equipment is brought into the healthcare delivery environment, and applying the available controls to the existing inventories, healthcare systems can systematically reduce the vulnerability footprint created by integrated medical devices.
MDRAP™ assessments are deeper, more flexible and more contextual than MDS2’s. MDRAP is transparent, actionable and fast – and the network effects of “crowdsourcing” mean that your teams will spend less time entering data and more time addressing controls.
MDRAP catalogs risk profiles and real-world performance data for thousands of different medical devices around the world.
Answer: Access to MDRAP is available to Healthcare Delivery Organization and Medical Device Manufacturers staff. MDRAP is also available to independent service and consulting engaged by and HDO or MDM.
Answer: MDISS World Health Information Security Testing Lab (WHISTL™) facilities are located all over the world. This network of labs not only enables healthcare providers to verify and validate the control claims of medical device manufacturers, but to identify, validate and share control practices across the community. (WHISTL™) facilities are federated network of medical device security testing labs, independently owned and operated by MDISS-member organizations. The goal is to help organizations work together to more effectively address the public health challenges arising from cyber security issues emergent in complex, multi-vendor networks of medical devices.
Answer: Please contact us directly to find out more about MDISS, membership, and the benefits we offer to the Medical Device community.
• For detailed information about becoming an MDISS member or for more information about MDRAP, contact Phil Englert at phil.englert@mdiss.org.
• For an overview of MDISS, explore our website, starting here: https://www.mdiss.org.