Getty Images/iStockphoto

HSCC Focuses On Medical Device Security in New Contract Language Template

HSCC released a contract language template for healthcare organizations to use to ensure medical device security when working with device manufacturers.

The Healthcare & Public Health Sector Coordinating Councils (HSCC) published model contract language to help healthcare organizations ensure medical device security when crafting contracts with device manufacturers.

Mayo Clinic, Premier Inc., and Siemens Healthineers led the drafting process intending to deliver a template to help healthcare organizations and medical technology companies navigate and create cybersecurity contractual terms and conditions.

The need for a contract template stemmed from ongoing complications between healthcare organizations and medical device manufacturers (MDMs) regarding responsibility, accountability, and varying cybersecurity expectations.

“These factors have introduced and sustained ambiguities in cybersecurity and accountability between MDM’s and [healthcare organizations] that historically have been reconciled at best inconsistently in the purchase contract negotiation process, leading to downstream disputes and potential patient safety implications,” an accompanying press release explained.

To ensure adequate security measures, the contract template includes language that articulates compliance and security requirements surrounding how healthcare organizations and MDMs store, transfer, or access medical devices and network-connected solutions.

HSCC noted that the contract template is not a one-size-fits-all solution, and organizations will have to modify some aspects during contract negotiations to align with their needs. The guide is meant to serve as a scalable template for organizations of any size.

The HSCC Model Contract Language task group attributed some miscommunications between healthcare organizations and MDMs to inconsistent contract terminology. The group suggested that the inconsistent language ultimately led to cybersecurity responsibility and accountability ambiguities in the past.

MDMs and healthcare organizations are linked by HIPAA business associate agreements (BAAs), which subject vendors with protected health information (PHI) access to the same security standards as HIPAA-covered entities.

The model contract language can serve as a standalone agreement or as an addendum to a BAA, a Master Service Agreement (MSA), or a Requests for Proposals (RFP).

HSCC organized the model contract framework into three key cybersecurity pillars: performance, maturity, and product design maturity. The task group organized contract clauses into fourteen core principles within these pillars.

As with any business associate, healthcare organizations are responsible for ensuring that the vendor has implemented adequate security standards before entrusting them with PHI. Organizations must conduct regular risk assessments and implement technical safeguards to prevent cyberattacks and data breaches.

This is especially apparent with medical devices, which are notorious for being difficult to manage from a cybersecurity perspective due to their mobility and the number of legacy devices that cannot be patched.

Medical devices are often the subject of severe vulnerability disclosures. A recent report by Unit 42 found that 75 percent of 200,000 analyzed infusion pumps contained known security gaps. Claroty also found that healthcare IoT, IT, and medical device vulnerability disclosures have increased exponentially over the last four years.

BD disclosed severe vulnerabilities in some of its BD Pyxis and BD Viper LT products in early March. Separately, Forescout’s global research team discovered seven vulnerabilities, known as Access:7, that impact the PTC Axeda agent and could result in supply chain and medical device security issues.

These recent disclosures underscore the need for consistent communication and thorough contract language between healthcare organizations and medical device manufacturers.

The model contract language included considerations about vulnerability management, security patch validation, and incident response management, among other core principles.

“Medical device manufacturers, health delivery organizations, and group purchasing organizations are encouraged to closely review this contract language and adopt as much as is appropriate for the organization,” the press release continued.

“The more uniformity and predictability the sector can achieve in cross enterprise cybersecurity management expectations, the greater strides it will make toward patient safety and a more secure and resilient healthcare system.”

Next Steps

Dig Deeper on Cybersecurity strategies