New HSCC insights target cybersecurity contract language for medical tech

New insights from the Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group targets the oft-uneven relationship between medical device manufacturers and delivery organizations that lead to maturity and security challenges in the healthcare sector.

The provided framework for cybersecurity contract terms and conditions aims to improve patient safety, while reducing complexity and costs of the contract process.

HSCC is an advisory council comprised of health companies and providers, focused on the development of collaborative tools to mitigate threats posed to the healthcare sector. Its working group is made up of over 300 provider entities, medical device and health IT companies, and other related entities.

The “Model Contract-Language for Medtech Cybersecurity (MC2),” was jointly compiled by Mayo Clinic, Siemens Healthineers, and Premier over the course of the last two years, in response to the systemic challenges of medical device security.

The process involved “pre-negotiating” the model contract language outlined in the framework, which inevitably led to an increase in mutual understanding and trust between manufacturers and providers. HSCC added, “The sector owes the leaders and members of the task group its thanks and congratulations.”

Transparency into device challenges has drastically improved across healthcare for the last few years, recognizing that uneven investments, infrastructure complexities, patch management and inventory issues, and other visibility challenges hinder real progress on the security front.

The joint project targets accountability challenges faced between medical device manufacturers and health delivery organizations, such as manufacturer design and production capabilities, investments in cybersecurity controls, and varied security expectations of the providers they serve.

The insights also address the high costs of cybersecurity management in the health system operational environment throughout the device lifecycle. A recent Claroty report showed over half of the vulnerabilities in end-of-life devices are remotely exploitable.

Ongoing accountability issues for medical device security

As it stands, these ongoing issues “have introduced and sustained ambiguities in cybersecurity accountability between manufacturers and healthcare delivery organizations that historically have been reconciled at best inconsistently in the purchase contract negotiation process, leading to downstream disputes and potential patient safety implications.”

The contract guidance is meant for shared cooperation and coordination between providers and manufacturers to bolster medical device security, compliance, management, operation, and services, while minimizing security risks and protecting healthcare technology, data and overall infrastructure.

The guide “articulates adequate security of healthcare delivery organization information being stored, transferred, or accessed and provides that all network access, medical devices, services, and solutions satisfy the mission, security, and compliance requirements of the” provider, according to the working group.

Device manufacturers, group purchasing organizations, and provider entities are encouraged to review the contract language guidance, which includes a partnership maturity roadmap, a template for contract language targeting performance, maturity, and document structure, and contract clauses.

These entities should work to adopt as much of the recommendations as appropriate, as “the more uniformity and predictability the sector can achieve in cross enterprise cybersecurity management expectations, the greater strides it will make toward patient safety and a more secure and resilient healthcare system.”

In the coming weeks, HSCC plans to release a best practice guide to communicating medical device vulnerabilities to patients, joining a long list of invaluable healthcare cybersecurity resources from the group that includes workforce guidance, telehealth security, and supply chain risk management, to name a few.