Helping members develop practical solutions for device security and patient safety.


The new MDISS World Health Information Security Testing Lab (WHISTL™) facilities will comprise of a federated network of medical device security testing labs, independently owned and operated by MDISS-member organizations. The goal is to help organizations work together to more effectively address the public health challenges arising from cyber security issues emergent in complex, multi vendor networks of medical devices. MDISS members get preferred access to WHISTL™ labs all over the world.



Free to HDOs, the MDRAP™ (medical device risk-assessment platform) is a cyber risk assessment and data sharing platform. Results are dynamic and easy to collate. Crowdsourced from vetted Healthcare Technology professionals, MDRAP™ generates a new kind of medical device security profile – one that is easy to complete, clear, concise, and (most importantly) actionable. MDRAP™ assessments are deeper, more flexible and more contextual than MDS2’s. It’s transparent, actionable and fast – and the network effects of “crowdsourcing” mean that your team spends less time entering data and more time addressing controls.


University Alliances

MDISS partners with major Universities and academicians around the country to connect researchers to their counterparts on the front lines of business and healthcare. University faculty and students get special discounts on MDISS programs and memberships, and MDISS member companies benefit from personal introductions to relevant scientists and researchers.

List of Partners coming soon!

HealthTrust Purchasing Group Pilot Program

Healthtrust Purchasing Group is pioneering an initiative across its more than 1000 member hospitals to incorporate cyber vulnerability information sharing as a required element of their procurement process.  Healthtrust Purchasing Group hospitals, as members of the MDISS HDO Senate, will engage with MDISS in close collaboration with medical device manufacturers to expedite high quality, timely information-sharing. To learn more, write to our Executive Director Dale Nordenberg, below.

email DALE now


MDRAP, the Medical Device Risk Assessment Platform partly funded by a contract with the US Department of Homeland Security, is an agile, web-based software platform that evolves incredibly fast. We often share our roadmap and development plans for the next several versions of MDRAP with members and stakeholders. If you’d like to be included in these discussions and sneak-peaks, drop a line to

Email Phil Now!


MD-VIPER was created through an operational partnership & MOU between the FDA, NH-ISAC and MDISS. MD-VIPER interfaces directly with FDA systems to help healthcare providers improve their situational awareness of medical device threats, as well as collect best practices and mitigation strategies from around the country. This program is key to the Federal Drug Administration’s (FDA) oversight of medical device manufacturer’s processes and provisions of guidance.


Data Commons

Consider Data Commons your secure data-sharing clearinghouse where you can share finished device risk assessments and find already-finished assessments from thousands of manufacturers, researchers, clinical engineers and other hospital stakeholders. Share best-practices and keep up with the latest vulnerabilities here, too - all while protecting your Intellectual Property and patient privacy.



This is a new initiative based on the CDC's National Health Safety Network (NHSN); it aims to leverage public/private partnerships with federal agencies, state and local public health officials, academics and researchers, and the rest of the stakeholder community to create better patient outcomes. This is complex and long term, but closely mirrors the mission of MDISS overall. If you're interested in joining the discussion, send a note to our Executive Director, Dale Nordenberg at

Email Dale Now!


IEC 62443-4 is the international security best practices standard for vendors of industrial control systems with clear utility for medical device networks. The ISA99 Committee named MDISS as the official liaison to IEC 62443-4 responsible for “medicalizing” the standard.



MDISS works directly with State and Local governments to advance medical device security initiatives leveraging existing, traditional public health best practices they already understand –and fund.



MDISS helps create a safe environment where medical device manufacturers with common concerns can find common ground.  Manufacturers cooperate where it counts – on patient safety and public health – without disclosing their IP risking their commercial competitive advantages.



Helps member organizations, from hospitals to device manufacturers to security firms, communicate with the government – and each other – more effectively and productively.  MDISS supports member organizations that might have historically “sat” on potential problems to instead embrace them publicly, helping them drive dramatic product improvements faster.



Formed under the auspices of CHIME, an executive organization dedicated to serving Chief Information Officers (CIOs) in Healthcare, the Association for Executives in Healthcare Information Security (AEHIS) and MDISS are working to encourage medical device vulnerability sharing via MD-VIPER.  AEHIS members get a single source for evaluating, reporting and sharing device vulnerabilities and coordinating responses.



MDISS participates on the working committee producing the ANSI/AAMI/IEC 80001-1 standard, specifically with regards to the application of risk management for IT Networks incorporating medical devices. It defines responsibilities for device manufacturers, non-medical device manufacturers, providers, IT integrators, and anyone else engaged in installing, using, reconfiguring, maintaining and decommissioning networks incorporating medical devices. Importantly, this standard specifically addresses risks to patients, among others.



Hey! That’s where you are right now! Our revamped website and the MDISS blog play a key role in our education and advocacy initiatives. Medical Device Security is hard work. We’ll do our very best to find and provide you with the information you need to solve problems, get stuff done and be a hero at the office. Plus, we hope to broaden your horizons a bit by exposing you to your colleagues’ pain and successes – and if we’re really lucky, we might get a laugh out of you once in a while. Sign up for our blog & newsletter at

Email Now!


About once every six weeks, NH-ISAC and MDISS co-produce a one-day medical device security workshop somewhere in the USA and Canada. Smaller and less wide-ranging than the MDISS CONGRESS, the workshops typically have about 45 attendees and create a safe, intimate environment where HDO’s, CEs, IT professionals and security geeks can work out the hairy details of medical device threat sharing in one of the most regulated and privacy-conscious industry sectors there is. You can find these workshops on our event page, or by clicking the button below!

Take a look


At the MDISS Congress, everybody gets together to compare notes, celebrate successes and share the pain of hard-learned lessons. The most recent event took place in 2017 at the National Security Institute at the George Mason University School of Law on Oct 31- Nov 1st in Arlington, VA. This was an invitation-only gathering of 150 of the nation’s brightest cyber-medical experts, hospital CIOs and CISOs, clinical engineering specialists, technology firms, regulators, legislators & standards authorities. The event was a co-production of MDISS and the National Security Institute at George Mason University, with further support from NH-ISAC and the Department of Homeland Security. Stay tuned for information regarding our next event.



This is the top level of MDISS membership – a double handful of companies and foundations that provide the majority of MDISS’s operating fund. In addition, this select group of partners is MDISS’s defacto steering committee and advises MDISS leadership about where to concentrate effort, assistance and expertise in order to move the market as fast a possible towards a safer, more secure medical device future. Members of the Leadership Circle include Medtronic, Novasano, Boston Scientific, Symantec, Intel and the US Department of Homeland Security. Interested in sitting down with these folks?

Read more about our memberships

MDISS Advisory Board

This is a different kind of MDISS participation; a hand-picked board of experts from across the wide swath of disciplines our work touches. The advisory board provides more long-term, strategic advice to MDISS leadership, while the Leadership Circle (above) is generally most concerned with activities that fall into a more tactical twelve-month time window.

Add link if advisors are uploaded to about page

Access to MDRAP

The crowd sourced and expert-vetted device security evaluation and reporting platform from MDISS. MDRAP catalogs risk profiles and real-world performance data for thousands of different medical devices in situations around the world.

Take a look
Billy Rios,
CEO, Whitescope

"Patient encounters with connected -- yet poorly secured -- medical devices are increasing exponentially, and nobody really has a handle on the risks we’re facing. We’ve got to integrate best practices from cybersecurity, public health and clinical engineering disciplines to better understand and mitigate these threats, and the new MDISS network of WHISTL device testing and data sharing facilities are a huge step in the right direction."