The Medical Device Risk Assessment Platform
Up until now, Cyber Risk Assessment methodologies in the context of patient outcomes haven’t really existed. Earlier efforts (MDS2’s) were rarely shared and very difficult to operationalize. In-house talent (OT, Biomed Engineers, Hospital IT) are still learning how to manage cyber incidents through the lens of patient safety.
THE MDRAP APPROACH
By combining information security best practices with an epidemiologically-inspired public health approach, MDRAP fosters better patient outcomes and a healthier, safer hospital network ecosystem.
The MDRAP project was launched in response to specific requirements and funding coming out of the U.S. Department of Homeland Security. MDRAP was developed over 7 years in tight collaboration with healthcare delivery organizations and medical device manufacturers. The result is a mature assessment technology already deployed at more than 2,000 hospitals across the United States as well as within the “Big Five” medical device makers. MDRAP is endorsed by NH-ISAC, the National Healthcare ISAC.
CROWDSOURCING RISK ASSESSMENTS
But the biggest benefit from using MDRAP comes from all of the risk assessment forms you DON’T have to fill out. Why? Because someone else in the network has probably already done it for you, on the very device you’re assessing. MDRAP lets you take advantage of “crowdsourcing” to dramatically reduce your security assessment workload. MDRAP’s unique DATA COMMONS platform makes it easy to share device assessments with your peers at hospitals across the country … safer too. The MDRAP data commons enables organizations to compare assessments against others to identify and prioritize issues.
MDRAP enables HDOs and MDMs to assess medical devices both as they are deployed within the HDO environment and with the design controls. HDOs adopt MDRAP to understand, analyze and mitigate the relative security risks of their medical devices and associated networks. MDRAP cultivates in-house expertise while connecting you to other centers of excellence. MDRAP re-engages dispersed stakeholders, so that efforts expended in one place are appreciated across the organization. MDRAP makes your collective device security posture transparent and actionable – and it does so quickly, efficiently and rationally. That means you can make better decisions about where to invest your valuable security hours.
MDRAP use cases and benefits include:
1. Audit-based assessments of Initial (baseline) risk assessments for each medical device generating a Cyber Security Framework (CSF) profile, by evaluating the current risk and security controls for each medical device in an HDO.
2. Assisting an HDO in framing the cyber security risk as part of a robust multi-tiered organizational Risk Management Framework so various organization management levels have visibility into the current and planned risk, or the changes in risk due to new threats, increased vulnerabilities or new medical devices.
3. Manufacturer participation increases the depth and quality of supplied information in a single repository at the device model level making it easier to locate the needed information.
4. Manufacturers have a vehicle to create and share MDS2 documents as well as post other IT security and interoperability documents in a trusted community environment.
5. Healthcare organizations access collaboratively posted documents from peers and manufacturers to obtain reliable data regarding medical device security controls, vulnerabilities, emerging threats, compensating controls, and remediation strategies.
6. Manufacturers receive running focus group type security control data to better understand, address and improve documentation and/or future design considerations.
7. Comprehensive device database based on the FDA’s 510(k) review process enables recognition and data utilization from a variety of data sources for the purposes of assessment comparison, data cleansing, and threat intelligence.
8. Extrapolated enterprise view of device risk to assist in the prioritization of remediation efforts.
9. Organizational structure management capability enables visibility across large complex entities.
For a full list of our MDRAP FAQs, click here.
FREE to HDOs, the MDRAP medical device risk-assessment platform produces cyber risk assessments that are easy to collate, dynamic and crowdsourced from vetted medical professionals. MDRAP is new kind of medical device security profile – one that is quick and easy to complete, clear, concise (and most importantly), actionable. MDRAP assessments are deeper, more flexible and more shareable than MDS2’s.
* Partially funded by a Department of Homeland Security (DHS) contract.