Model contract language for medical technology cybersecurity published

Medical technology companies and health delivery organizations have a new template for agreeing on cybersecurity contractual terms and conditions to reduce cost, complexity and time in the contracting process and improve patient safety. Published by the Health Sector Coordinating Council Cybersecurity Working Group (CWG) is Model Contract-Language for Medtech Cybersecurity (MC2).

Problem

The genesis of this resource was the recognition that medical device cybersecurity responsibility and accountability between Medical Device Manufacturers (MDM’s) and Health Delivery Organizations (HDO’s) is complicated by many conflicting factors, including: uneven MDM capabilities and investment in cybersecurity controls built into device design and production; varying expectations for cybersecurity among HDOs; and high cybersecurity management costs in the HDO operational environment throughout the device lifecycle.

These factors have introduced and sustained ambiguities in cybersecurity accountability between MDM’s and HDO’s that historically have been reconciled at best inconsistently in the purchase contract negotiation process, leading to downstream disputes and potential patient safety implications.

Solution

The purpose of this Model Contract Language is to offer a reference for shared cooperation and coordination between HDO’s and MDM’s regarding the security, compliance, management, operation, services, and security of MDM-managed medical devices, solutions, and connections. This Model Contract Language is intended to minimize security risks and ensure the confidentiality, integrity, and availability (CIA) of HDO healthcare technologies, infrastructures, and information.

This Model Contract Language articulates adequate security of HDO information being stored, transferred, or accessed and provides that all network access, medical devices, services, and solutions satisfy the mission, security, and compliance requirements of the HDO.

Medical device manufacturers, health delivery organizations, and group purchasing organizations are encouraged to closely review this contract language and adopt as much as is appropriate for the organization. The more uniformity and predictability the sector can achieve in cross enterprise cybersecurity management expectations, the greater strides it will make toward patient safety and a more secure and resilient healthcare system.

Process

This model contract is also the product of model collaboration between two subsector stakeholders whose expectations about responsibility and accountability for cybersecurity have not always been aligned.

The 2-year process of “pre-negotiating” this model contract language – beginning in March 2020 – facilitated increased mutual understanding and trust between MDM’s and HDO’s that participated in the Medical Device Cybersecurity Model Contract Language Task Group. The sector owes the leaders and members of the task group its thanks and congratulations.

In the pipeline to be published in the coming weeks will be best practices guidance for medical device vulnerability communications to the patient audience.