How often should we update MDS2?

At minimum: every release that changes a security-relevant characteristic. Many MedTech teams refresh MDS2 annually as a baseline and on every security-relevant change.

Where do hospitals use MDS2?

Procurement, network onboarding, and post-market vulnerability response. Some HDO security programs require MDS2 before any device touches the network.

All terms

CybersecurityConnected & Cyber-Physical DevicesMDS2

Manufacturer Disclosure Statement for Medical Device Security

A standardized form by which device manufacturers disclose security characteristics to healthcare delivery organizations.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

Definition

The Manufacturer Disclosure Statement for Medical Device Security (MDS2), maintained by the Healthcare Information and Management Systems Society (HIMSS) and aligned to IEC 80001-2-2, is a standardized questionnaire that manufacturers complete to disclose a connected device's security characteristics - authentication, encryption, audit controls, malware protection, network configuration, patch policy - to hospital procurement and security teams.

What the regulation says

FDA's 2023 guidance expects manufacturers to provide security disclosure to operators; MDS2 is the de-facto industry-standard format. MDS2 is referenced in HSCC and AHA guidance and frequently required by hospital procurement contracts.

What this means in practice

MDS2 sits at the manufacturer-HDO handoff and is one of the highest-leverage documents a security program produces. A well-completed, current MDS2 directly accelerates hospital procurement; a stale or incomplete MDS2 stalls deals. Mature MedTech teams maintain MDS2 as a living document tied to each release.

Common pitfalls

•Treating MDS2 as a marketing document - overstating capabilities backfires in operator audits.
•Letting MDS2 go stale across releases.
•Not aligning MDS2 to MDS2-2019 (the current version) - older versions miss key security characteristics.

Frequently asked questions

Not by name, but the cybersecurity labeling and operator-disclosure expectations in the 2023 guidance are routinely satisfied via MDS2.

Cross-references

Primary references

3 sources

Link health: 2 verified 1 bot-blocked· last checked 2026-05-09

HIMSS·1ISO/IEC·1HSCC·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Acronym: MDS2
Sources: 3
Updated: 5/5/2026

Compare with another term

Learn in 60 seconds

A standardized form by which device manufacturers disclose security characteristics to healthcare delivery organizations.

·MDS2 sits at the manufacturer-HDO handoff and is one of the highest-leverage documents a security program produces.
·A well-completed, current MDS2 directly accelerates hospital procurement; a stale or incomplete MDS2 stalls deals.
·Mature MedTech teams maintain MDS2 as a living document tied to each release.

Remember this

Watch out: Treating MDS2 as a marketing document - overstating capabilities backfires in operator audits.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.

Definition

What this means in practice

Frequently asked questions

See also

Primary references