Answer: The MDRAP questionnaire consists of about 135 questions that start with the MDS2 (Medical Device Security Manufacturers Disclosure Statement) and go somewhat deeper. Follow up questions gather details relative to potential risks, vulnerabilities, organizational impact, and level of effort required to remediate the risk.
Answer: MDRAP was commissioned by the US Department of Homeland Security to provide a platform that would go beyond MDS2, and allow healthcare and security professionals to make rational comparisons between and tradeoffs among the myriad security project choices they face. MDRAP was developed with input from over 20 different technology and healthcare organizations, along with leading medical device cybersecurity experts unaffiliated with MDISS.
Answer: Absolutely not! MDRAP contains a built-in MDS2 “ingestor” that enables fast and easy uploads of the security information that you DO have on hand for your device inventory. Having an MDS2 just makes finishing your MDRAP assessment a lot faster, and then MDRAP makes it possible to compare all of the security projects on your plate rationally.
That’s it, you’re up and running! At this point you’ll probably want to upload information about a bunch of devices you already have in your inventory. During the onboarding, we’ll tell you how to send that file to us, and our engineers will load all that up for you, FREE, and we’ll do the matching to devices already in our database, too!
Finally, if you want, we can schedule a FREE hands-on training for the rest of your biomed team to show them how to fill out MDRAP assessments quickly and efficiently. But this is often unnecessary – the platform is very easy to use. And as a MDISS member, we are here to support you or your team anytime you get stuck.
Answer: Yes, MDISS and MDRAP hosts a massive digital catalog of electronic medical devices that is cross-indexed to the US FDA’s own database. You can search our catalog to find devices to quick-add them to your inventory or you can provide a spreadsheet to MDISS and we’ll do the initial upload of your inventory to MDRAP for you – no charge.
Answer: A trained biomed with access to device documentation and MDS2 files should be totally capable of completing an MDRAP assessments with minimal assistance. Sometimes it helps if the biomed works side by side with someone from IT to complete assessments together.
Answer: The MDRAP Analytics Scoring Framework includes the ability for sets of risk assessment questionnaires to be computed and visualized. This visualization of results includes multiple quantifiable analytical dimensions such as computed risk, computed likelihood of an event and level of effort to remediate this event. MDRAP visualization tools plot “Level of Effort to Remediate” against “Impact to Organization” and “Likelihood of Occurring” so that your teams can more rationally decide what to work on first. MDRAP provides additional hints and notes relevant to HDOs to help them select specific vulnerabilities for mitigation based on the assessment results.
Answer: YES, you can view “shared” assessments from the larger MDISS/MDRAP community via the ASSESSMENTS tab. Not all organizations share. But if you’re sucking down lots of assessments that other people did, karma would dictate that you might want to share your work with the community, in turn.
We know sharing is hard, especially in medical contexts. But crowdsourcing is key to making device assessments work for everyone. If every hospital has to do their own assessments of every device they own, then positive network-effects never come into play, and you might as well quit MDISS, NH-ISAC, HIMSS and ICS-CERT and enjoy your private island of duplicated effort.
That being said, every hospital network uses devices slightly differently, so an assessment sourced from outside your organization will always need to be “asterisked”, so you can make sure to “handicap” those scores against your internal reality. By creating standardized “risk management portfolios” MDISS and MDRAP hope to help you leverage standardized risk mitigation strategies and best-practices vulnerability aggregation… saving you lots of time, lots of money and helping you avoid re-inventing the wheel again and again.
Answer: MDRAP is particularly useful for: