Question: How many man-hours does it take to complete an MDRAP Assessment for a given device? 

Answer: About 1 to 1.5 hours depending on the expertise and skill of the Biomed running the assessments. Assessments will get quicker as your team gets more familiar with the platform.


Question: What does the Medical Device Risk Assessment cover?

Answer: The MDRAP questionnaire consists of about 135 questions that start with the MDS2 (Medical Device Security Manufacturers Disclosure Statement) and go somewhat deeper.  Follow up questions gather details relative to potential risks, vulnerabilities, organizational impact, and level of effort required to remediate the risk.

Question: What’s the difference between MDRAP and MDS2? 

Answer: MDRAP was commissioned by the US Department of Homeland Security to provide a platform that would go beyond MDS2, and allow healthcare and security professionals to make rational comparisons between and tradeoffs among the myriad security project choices they face.  MDRAP was developed with input from over 20 different technology and healthcare organizations, along with leading medical device cybersecurity experts unaffiliated with MDISS.

Question: I have a bunch of MDS2s already. Do I throw them out?

Answer: Absolutely not! MDRAP contains a built-in MDS2 “ingestor” that enables fast and easy uploads of the security information that you DO have on hand for your device inventory. Having an MDS2 just makes finishing your MDRAP assessment a lot faster, and then MDRAP makes it possible to compare all of the security projects on your plate rationally.

Question: How do I get MDRAP?


  1. Join MDISS online at  It’s free to healthcare organizations, HDOs and GPOs.  Other types of companies and individuals can purchase memberships from the INDIVIDUAL to the LEADERSHIP level.  And because MDISS is a 501(c)3 non-profit, your donations and fees are tax-deductible.

  2. We’ll ask you to confirm your email address and automatically sign you up for an onboarding session.

  3. Here’s where you’ll want to start thinking about how much you want to share your assessments with the rest of the MDRAP community.  The benefits to sharing are huge (often, someone else has already assessed the device you’re looking for, and you might be able to skip your assessment completely).  But sharing isn’t required.  It’s just encouraged.

That’s it, you’re up and running!  At this point you’ll probably want to upload information about a bunch of devices you already have in your inventory.  During the onboarding, we’ll tell you how to send that file to us, and our engineers will load all that up for you, FREE, and we’ll do the matching to devices already in our database, too!

Finally, if you want, we can schedule a FREE hands-on training for the rest of your biomed team to show them how to fill out MDRAP assessments quickly and efficiently.  But this is often unnecessary – the platform is very easy to use.  And as a MDISS member, we are here to support you or your team anytime you get stuck.

Question: How much will MDRAP cost my institution?   

Answer: As a project funded largely by the Department of Homeland Security, MDRAP is free to use, but you must join MDISS in order to get access to the platform and enjoy the benefits of our onboarding, continuous support and sharing functions.

Question: Do you have any list of medical devices on the market? 

Answer: Yes, MDISS and MDRAP hosts a massive digital catalog of electronic medical devices that is cross-indexed to the US FDA's own database. You can search our catalog to find devices to quick-add them to your inventory or you can provide a spreadsheet to MDISS and we’ll do the initial upload of your inventory to MDRAP for you – no charge.

Question: Do we need individuals across several departments to be involved for these assessments? 

Answer: A trained biomed with access to device documentation and MDS2 files should be totally capable of completing an MDRAP assessments with minimal assistance. Sometimes it helps if the biomed works side by side with someone from IT to complete assessments together.   

Question: When I’m BULK IMPORTING my catalog of devices into MDRAP, what are the fields I need to include in my spreadsheet?


  1. Device Name   
  2. Manufacturer
  3. Location
  4. Department/Care Area
  5. Serial # (Optional)
  6. Asset Tag (Optional)
  7. In Service On (Optional)



Question: What kind of analysis and recommendations will I receive from MDRAP Analytics? 

Answer: The MDRAP Analytics Scoring Framework includes the ability for sets of risk assessment questionnaires to be computed and visualized. This visualization of results includes multiple quantifiable analytical dimensions such as computed risk, computed likelihood of an event and level of effort to remediate this event. MDRAP visualization tools plot “Level of Effort to Remediate” against “Impact to Organization” and “Likelihood of Occurring” so that your teams can more rationally decide what to work on first.  MDRAP provides additional hints and notes relevant to HDOs to help them select specific vulnerabilities for mitigation based on the assessment results.



Question: I know MDRAP allows me to plot out assessments of dozens of different devices together on the same screen…. But does MDRAP allow me to compare multiple different assessments of the same device?

Answer: Not yet.  But soon!

Question: Is there an option to view other institutions’ assessments for the devices in my inventory?

Answer:  YES, you can view “shared” assessments from the larger MDISS/MDRAP community via the ASSESSMENTS tab.  Not all organizations share.  But if you’re sucking down lots of assessments that other people did, karma would dictate that you might want to share your work with the community, in turn. 


Question: What does sharing entail? 

Answer: We know sharing is hard, especially in medical contexts.  But crowdsourcing is key to making device assessments work for everyone.  If every hospital has to do their own assessments of every device they own, then positive network-effects never come into play, and you might as well quit MDISS, NH-ISAC, HIMSS and ICS-CERT and enjoy your private island of duplicated effort.

That being said, every hospital network uses devices slightly differently, so an assessment sourced from outside your organization will always need to be “asterisked”, so you can make sure to “handicap” those scores against your internal reality. By creating standardized “risk management portfolios” MDISS and MDRAP hope to help you leverage standardized risk mitigation strategies and best-practices vulnerability aggregation… saving you lots of time, lots of money and helping you avoid re-inventing the wheel again and again.

Question: What are the benefits that come with using MDRAP? 

Answer: MDRAP is particularly useful for:


  • Quick evaluations of current risk and security control effectiveness for each medical device in an HDO. Creation of initial (baseline) risk assessment for medical devices in the context of a Common Security Framework profile.

  • MDRAP assessments can be used as the basis for a desired or “target” CSF profile, giving you insight into the chances for success and the subsequent impact of new risk controls on your operations. Dozens, hundreds and then thousands of MDRAP assessments are crunched by the MDRAP analytics engine to find both “quick wins” and “hidden killers” that you can take to management.

  • Over time, as MDRAP assessments are updated based on changes to the device or its environment, MDRAP can provide early warnings about risk-creep and highlight systems and individual devices that probably need to be re-examined in detail. MDRAP's ability to track changes over time and plot those against risk-reduction effectiveness make MDRAP one of those tools that becomes more valuable the more you use it.

Still have questions?

Drop us a line at

As a grass-roots) organization, MDISS is really about YOU. We'd love to hear from you.  

Drop us a line