Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    Blog · Standards

    The Role of MDS² in Medical Device Cybersecurity

    Updated November 16, 2024 The cybersecurity of medical devices has emerged as a critical concern for manufacturers, healthcare providers, and regulatory.

    Hero illustration for the Standards article: The Role of MDS² in Medical Device Cybersecurity
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Published: April 7, 2024 · Last reviewed: May 1, 2026

    Updated November 16, 2024

    Direct answer

    The Manufacturer Disclosure Statement for Medical Device Security (MDS²) is a standardized form that medical device manufacturers use to disclose detailed cybersecurity features of their products. It helps healthcare providers assess potential security risks and aids manufacturers in demonstrating compliance with regulatory requirements, such as those from the FDA. This document promotes transparency and facilitates informed decision-making regarding medical device integration and risk management.

    The cybersecurity of medical devices has emerged as a critical concern for manufacturers, healthcare providers, and regulatory bodies. The Manufacturer Disclosure Statement for Medical Device Security (MDS²) supports addressing these concerns by providing a standardized framework for communicating the cybersecurity features of medical devices. This article covers the significance of MDS² in enhancing the cybersecurity posture of medical devices, aligning with regulatory guidelines, and building a culture of transparency and accountability in the medical device industry.

    Key Takeaways

    • MDS² standardizes medical device cybersecurity disclosures.
    • It aids manufacturers in meeting FDA regulatory expectations.
    • Healthcare providers use MDS² for risk assessment and management.
    • MDS² promotes "security by design" in device development.
    • It builds industry collaboration on cybersecurity practices.
    • Widespread adoption of MDS² enhances patient safety.

    Table of Contents

    Why this matters

    The security of medical devices directly impacts patient safety and healthcare system integrity. Unsecured devices introduce vulnerabilities that attackers can exploit, leading to data breaches, operational disruptions, or even direct harm to patients through device malfunction. Manufacturers must openly communicate device cybersecurity capabilities and limitations to healthcare providers so that risks can be properly managed in clinical environments. The FDA's 'Cybersecurity in Medical Devices' Final Guidance, published February 3, 2026, emphasizes the necessity of clear cybersecurity documentation throughout a device's lifecycle. MDS² directly supports these regulatory expectations by providing a structured format for manufacturers to disclose information relevant to standards like IEC 81001-5-1, ISO 14971, and AAMI TIR57. Without such standardized disclosures, healthcare providers face significant challenges in evaluating device security, integrating new technology safely, and fulfilling their own regulatory obligations. Effective use of MDS² therefore safeguards patient well-being and strengthens the overall resilience of healthcare infrastructure.

    The Essence of MDS² in Cybersecurity Communication

    MDS² is designed to offer a overview of a medical device’s security features, going beyond a mere inventory of components to present a clear picture of the device’s cybersecurity capabilities. This detailed disclosure helps clinical users understand the security measures embedded in their devices, enabling them to make informed deployment and risk management decisions. The form covers various security aspects, including data encryption, authentication mechanisms, vulnerability management practices, and the device’s ability to receive security patches.

    Aligning with Regulatory Expectations

    The FDA’s guidance on the cybersecurity of medical devices underscores the necessity of considering cybersecurity throughout the device’s lifecycle, from design through deployment. By documenting cybersecurity features through MDS², manufacturers adhere to these regulatory expectations and demonstrate their commitment to safeguarding patient safety and data protection. The transparency provided by MDS² is crucial for regulatory submissions, as it offers a clear, standardized method for manufacturers to communicate their cybersecurity measures, facilitating the FDA’s assessment process.

    A Catalyst for Security by Design

    The implementation of MDS² encourages manufacturers to integrate security features from the initial stages of device development. This “security by design” approach ensures that cybersecurity considerations are integral to the development process rather than being retrofitted after the fact. By aligning with the principles of MDS², manufacturers can proactively address potential vulnerabilities and design devices that are resilient to cyber threats. This approach enhances individual devices’ security and contributes to healthcare IT ecosystems’ overall security.

    Facilitating Informed Risk Management

    For healthcare providers, the MDS² form is a critical risk management tool. By detailing the security features and potential vulnerabilities of medical devices, MDS² enables healthcare IT and security teams to develop tailored risk mitigation strategies. This informed approach to risk management is essential for protecting sensitive patient data and ensuring the continuity of care in the face of evolving cyber threats.

    Promoting Industry-wide Collaboration

    The widespread adoption of MDS² has the potential to build a culture of collaboration and transparency within the medical device industry. Manufacturers, healthcare providers, and regulatory bodies can benefit from the standardized communication of cybersecurity features, facilitating dialogue and shared understanding regarding cybersecurity expectations and best practices. This collaborative approach is key to addressing the complex cybersecurity challenges facing medical devices today.

    The Path Forward: Advocacy and Adoption

    See also: IEC 80001-1: Enhancing Medical Device Cybersecurity, MDCG 2019-16 & MedTech Cybersecurity, and Medical Device Cybersecurity and ISO 9001.

    To maximize the benefits of MDS², concerted efforts are needed from all stakeholders in the medical device ecosystem. Manufacturers must embrace MDS² as a standard practice for disclosing device security features, while healthcare providers should demand MDS² documentation as part of their procurement processes. Regulatory bodies can be guided by endorsing MDS² and incorporating its use into regulatory frameworks. Additionally, ongoing dialogue and feedback among stakeholders are essential for continually refining the MDS² form to address emerging cybersecurity challenges.

    Conclusion

    The MDS² form represents a foundational element in the effort to enhance the cybersecurity of medical devices. By providing a standardized framework for disclosing security features, MDS² facilitates informed risk management, supports regulatory compliance, and encourages a proactive approach to device security. As the medical device industry navigates the complexities of cybersecurity, adopting and effectively utilizing MDS² will be critical for safeguarding patient data and ensuring the reliability and safety of medical technologies in the digital age.

    Contact us for medical device cybersecurity assistance.

    How Blue Goat approaches this

    Blue Goat Cyber assists medical device manufacturers in completing MDS² forms accurately and thoroughly, ensuring alignment with regulatory expectations and industry best practices. Our methodology involves a detailed review of device architecture, security controls, and documentation to extract the necessary information. We use insights from our OSCP-certified penetration testers and ex-military red team specialists to identify potential vulnerabilities and ensure that disclosed security features are clearly articulated.

    Our service aims to not only populate the MDS² form but also to identify opportunities for enhancing device security. We guide manufacturers through the intricacies of the MDS² framework, helping them present their cybersecurity posture effectively to healthcare providers and regulators. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. Learn more about our approach to premarket submissions at Blue Goat Cyber's FDA Premarket Cybersecurity Services.

    FAQ

    What is the MDS² form and why is it important?

    The Manufacturer Disclosure Statement for Medical Device Security (MDS²) is a standardized form used by manufacturers to disclose the cybersecurity and privacy features of their medical devices. It helps healthcare organizations assess the security risks associated with integrating devices into their environments.

    Who is responsible for completing the MDS² form?

    The medical device manufacturer is responsible for accurately completing the MDS² form. The document should detail the security controls, risk management measures, and compliance with relevant cybersecurity standards and regulations.

    What information is typically included in an MDS² form?

    The MDS² form includes details about access controls, data encryption and storage protocols, network security features, software updates and patch management, and risk management practices for cybersecurity. It also provides information on compliance with standards like IEC 62304 and the FDA's February 3, 2026 premarket guidance.

    How does the MDS² support regulatory compliance?

    The MDS² indicates a manufacturer’s commitment to cybersecurity and compliance with regulations such as the FDA's February 3, 2026 premarket guidance, EU MDR/IVDR, and HIPAA. It supports the evaluation of device safety and efficacy in the context of cybersecurity risk management.

    How is the MDS² used by healthcare organizations?

    Healthcare providers and facilities use the MDS² to evaluate the cybersecurity risks of medical devices before purchase or integration. It helps ensure devices comply with organizational security policies and aids in identifying necessary network configurations or compensating controls.

    How often should the MDS² form be updated?

    The MDS² should be updated when there are significant changes to the device’s software or cybersecurity features, to reflect updates in regulatory requirements or standards, or annually as part of a regular post-market surveillance process to ensure ongoing relevance.

    What are common challenges when completing the MDS² form?

    Challenges include accurately documenting third-party software components, addressing vulnerabilities in legacy devices, aligning the form’s content with varying international regulations, and Ensure non-technical stakeholders understand the form’s implications.

    About the author

    Christian Espinosa, CISSP, Founder, Blue Goat Cyber. Christian leads a team focused exclusively on medical device cybersecurity for FDA premarket submissions and postmarket compliance. Read more about Christian.

    Sources & references

    Primary sources cited in this article. Links open in a new tab.

    1. U.S. FDA- U.S. FDA
    Related 524B & eSTAR resources

    Keep going: the 524B and eSTAR working set

    Start with the walkthrough hub, then drill into the statute, the eSTAR field map, SBOM monitoring, postmarket planning, and deficiency response. Use these as the playbook behind every cyber device submission.

    Hub
    FDA Section 524B & eSTAR Cybersecurity Walkthrough

    Start here: the hub that ties the statute, the February 2026 guidance, and the eSTAR fields together in the order a submission team works through them.

    Related services

    Put this into practice on your device

    Every Blue Goat Cyber engagement maps directly to FDA Section 524B and the SPDF - so the evidence you need lands in your submission, not in a separate report.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.