CIS and MDISS Release New Resources to Further Reduce Cyber Security Risk to Healthcare Systems

Share Article

Consensus-based security recommendations will help medical device manufacturers and healthcare providers assess and mitigate cyber vulnerabilities

Center for Internet Security
Medical devices and the systems they rely on need to be protected from the increasing volume of cyber threats.

The Center for Internet Security (CIS) and the Medical Device Innovation, Safety and Security Consortium (MDISS) today announced the availability of new resources to help address the growing security concerns about network-connected medical devices. The CIS/MDISS Security Benchmark Mapping Guidance provides security recommendations that can be used by medical device manufacturers during the product development process, as well as assist healthcare providers in evaluating the security controls for medical devices prior to purchase and implementation.

The new security recommendations, which are released to coincide with National Cyber Security Awareness Month, each provide a detailed, easy-to-use matrix that aligns industry recognized, consensus-based secure configuration best practices developed by CIS with Security Capabilities included in a Technical Report (IEC/TR 80001-2-2) within the International Electrotechnical Commission (IEC) 80001-1, a global standard for performing risk management of IT networks that include medical devices. The configuration guidelines, which were developed in collaboration with healthcare providers, manufacturers, cyber security experts and government entities, specifically apply to those devices that incorporate Microsoft Windows 7 and XP operating systems, which are commonly used for healthcare device systems.

These new resources provide recommended security controls spanning a majority of the IEC/TR 80001-1-2-2 security capabilities, including system and application hardening, access control and malware detection and protection.

Additionally, healthcare providers can leverage the new CIS/MDISS guidance as supplementary resources to the widely used Manufacturer Disclosure Statement for Medical Device Security (MDS2) form, a collaboration between the Healthcare Information and Management Systems Society (HIMSS) and the National Electrical Manufacturers Association (NEMA), which provides manufacturers with a means for disclosing the security-related features of the medical devices they bring to market.

“Medical devices and their associated networks are critical components of our nation's digital health infrastructure. Ensuring these devices and networks are secure is important for patient safety, patient privacy, and the safeguarding of our nation's critical health infrastructure, ” said Dale Nordenberg, M.D., MDISS executive director. “MDISS members are committed to ongoing collaborative efforts to better understand security risks and to the development of innovative solutions that address increasing concerns of device safety and security.”

“We must do everything we can to safeguard the IT systems that manage medical devices and the patients who rely on them,” said William F. Pelgrin, CIS president and CEO. “CIS is pleased to co-lead this collaborative effort with MDISS and work with all of our partners to develop well-defined security baselines that help further strengthen defenses against cyber attack.”

Medical devices and the systems they rely on have become so interconnected and mobile that they need to be protected from the ever-increasing volume of cyber threats in order to protect the confidentiality of patient information and safeguard patient safety. In recognition of this growing concern, CIS launched an initiative in 2013 to help bolster the protection of networked medical devices from cyber threats. CIS issued a request for information to U.S. medical device manufacturers that invited voluntary participation. MDISS, which has long been an established leader in medical device security and safety agreed to co-lead the initiative with CIS. Other participants include the Council on CyberSecurity (CCS), Albany Medical Center (AMC), the College of Healthcare Information Management Executives (CHIME), the National Health ISAC (NH-ISAC), the Association for the Advancement of Medical Instrumentation (AAMI), Underwriters Laboratory (UL), and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

The CIS/MDISS Security Benchmark Mapping Guidance documents are the first set of resources developed through the initiative, with additional guidance planned for future release.

CIS and MDISS encourage all interested parties to provide additional feedback and recommendations on improving these resources and suggestions on creating similar guidelines, as well as becoming directly involved in the initiative’s working group. Please contact CIS at Download the new resources at CIS.

Join CIS and MDISS at the FDA Public Workshop:
Collaborative Approaches for Medical Device and Healthcare Cybersecurity
October 21-22, 2014

About the Medical Device Innovation, Safety and Security Consortium
The Medical Device Innovation, Safety and Security Consortium (MDISS) is a collaborative and inclusive nonprofit professional organization committed to advancing health care quality with a focus on the safety and security of medical devices. MDISS was launched in 2011 as a response to the continuing concerns surrounding the security and interoperability limitation of medical devices. Our mission is to protect public health and ensure wide availability of innovative and safe medical devices. MDISS creates industry awareness and brings innovative approaches to ensure safety and security of medical devices through rigorous research efforts and continuous collaboration with stakeholder communities, including healthcare delivery organizations, manufacturers, patients, government agencies and technology companies.

About the Center for Internet Security
The Center for Internet Security (CIS) is a 501c3 nonprofit organization focused on enhancing the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration. CIS produces consensus-based, best practice secure configuration benchmarks and security automation content, and serves as the key cyber security resource for state, local, territorial and tribal governments, including chief information security officers, homeland security advisors and fusion centers. CIS provides products and resources that help partners achieve security goals through expert guidance and cost-effective solutions. To learn more please visit or follow us at @CISecurity.

Krista Montie
The Center for Internet Security

Liz Grimes
Overit for The Center for Internet Security
518-465-8829 x 213

Dale Nordenberg
Medical Device Innovation, Safety and Security Consortium

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Krista Montie