Cybersecurity Improvement One Clause at a Time

girl looking at a tablet in a technological office

Medical device cybersecurity is a complex priority that cannot be solved by the goodwill of manufacturers alone. A partnership between providers and manufacturers is required to improve both medical device security and safety. With the help of the Health Sector Coordinating Council (HSCC), some Healthcare Delivery Organizations (HDOs) and some Medical Device Manufacturers (MDMs) have finally come together to align clear cybersecurity requirements for medical devices. 

Influencing Cybersecurity Practices

While the FDA and other regulators have been slow to apply pressure, HDOs can drive change today through improved contract language in medical device purchases. One of the best ways hospitals can set expectations for cybersecurity requirements and practices is through contract language executed at the beginning of a partnership between an HDO and MDM. A new framework for cybersecurity contract terms and conditions aims to improve patient safety while reducing complexity and costs of the contract process. This framework will help HDOs articulate their requirements and MDMs reduce variation in expectations from customer to customer. 

On March 3, the HSCC released Model Contract-Language for Medtech Cybersecurity (MC2) to address challenges with cybersecurity contract language. Through clear examples paired with operational guidance for HDOs and MDMs, organizations can leverage and adapt the model contract language as needed to align with a framework called the “Bar of Goodness.” 

Raising the Bar of Goodness

Developed by forward-thinking HDOs, the Bar of Goodness is a framework for cybersecurity contract language centered around three essential pillars: Maturity, Product Design Maturity, and Performance. Each pillar identifies critical contract terms, such as Security Development Lifecycle, Supplier Transparency, Security Patching, Standard Security Controls, and Vulnerability Management. Clearly mapped to the core principles of the Bar of Goodness framework, each contract clause makes it easier for Healthcare Technology Management (HTM) leaders to make a clear case for the inclusion of such clauses in their contract templates. This mapping may also aid in the coordination of contract requirements with any existing contract clauses or with the requirements from Information Technology (IT) or Information Systems (IS) leaders. 

An added benefit of the publication is the Contract Clause Definitions section—an educational asset on key cybersecurity concepts that provides useful definitions and additional resource links to both HTM and other hospital leaders. 

A Collaboration for the Win

Although the Bar of Goodness originated from HDOs, MC2’s success comes from the overwhelming participation and collaboration of a cross-section of the healthcare technology industry. The results are from weekly workgroup sessions that included many organizations: HDOs, such as Kaiser Permanente, Cleveland Clinic, and Mayo Clinic; MDMs, such as Philips, GE, and Siemens; Group Purchasing Organizations (GPOs), such as Vizient and Premier; and Independent Service Organizations (ISOs), such as Sodexo. 

With a unified goal of improving cybersecurity practices for medical devices, the 45 contract clauses in the MC2 publication are meticulously crafted and negotiated within the workgroup’s melting pot of perspectives and reference credible industry frameworks NIST, ISO, and CIS. 

This collaboration is one that will drive mutually beneficial outcomes for all parties by setting clear expectations for cybersecurity best practices, accelerating contract negotiations between HDOs and MDMs through standard content, and providing pivotal education for all parties.