Leveraging MDS² Forms to Strengthen Hospital Cybersecurity and Shorten Procurement

Cybersecurity is patient safety. In today’s healthcare environment, protecting medical devices isn’t just an IT concern; it’s a clinical priority.  Hospitals face a perfect storm: limited budgets, staff shortages, and a growing fleet of connected devices that are vulnerable to cyber threats.  The good news is there’s an industry created, practical tool already available to help: the Manufacturer Disclosure Statement of Medical Device Security (MDS²) form. 

Why MDS² Matters 

Originally introduced in 2004 and expanded in 2019, the MDS² form is a self-attestation completed by medical device manufacturers.  While not mandatory, it is commonly shared during procurement.  Think of it as a transparency report: it reveals whether a device runs a supported operating system, receives routine patches, supports multi-factor authentication, includes malware protection, and more. 

By integrating the MDS² form into procurement processes, hospitals can: 

• Identify risks early before devices are purchased and deployed. 

• Plan ahead for end-of-support dates, patching needs, and upgrade pathways. 

• Align with HHS Cybersecurity Performance Goals (CPGs) to meet expectations. 

Getting Back to Basics 

You don’t need a massive team or advanced tools to make an impact.  Start with core security requirements: supported operating systems, strong encryption, unique credentials, firewall capabilities, and close unnecessary ports.  These basics, when consistently applied, can drastically reduce risks across an entire fleet of devices. 

Making It Work for Your Hospital 

If resources are limited, start with two critical questions when reviewing an MDS² form: 

1. Is the device network connected, or can it be network connected? 

2. Does the device meet your hospital’s basic security requirements? 

From there, you can prioritize actions such as changing default credentials, enforcing role-based access, requiring MFA for remote access, and applying anti-malware protections. 

The Bottom Line 

Cybersecurity in healthcare doesn’t have to be overwhelming.  By leveraging the MDS² form during procurement, hospitals can use manufacturer provided information to make informed security decisions. This isn’t about checking boxes; it’s about creating safer environments and enabling hospital staff to focus on the patient. 

Take the first step and ask for the MDS² form at procurement. It’s information-rich, industry-backed, and an effective tool to secure your hospital. 

Want to know more? Join our FREE webinar: Key MDS2 Form Security Capabilities and Questions Hospitals Need to Understand and Use  - December 16, 2025 - 11 AM ET 

About Debra 

Debra Bruemmer is MedSec’s Senior Director of Clinical Security, bringing more than two decades of frontline experience advancing cybersecurity in healthcare. She joined MedSec in 2023 after 24 years at the Mayo Clinic, where she most recently served as a senior manager within the Office of Information Security.  

A respected speaker and advocate for stronger security management in hospitals, Debra is passionate about helping healthcare organizations build practical, sustainable approaches to medical device cybersecurity. At MedSec, she focuses on partnering with small to mid-size hospitals to establish essential medical device security practices before they invest in expensive tools, ensuring they get the fundamentals right first.