HSCC releases model contract template for HDOs and medical device manufacturers


Share this article on:

The Health and Public Health Sector Coordinating Council (HSCC) has released a new Contract language pattern template that healthcare delivery organizations (HDOs) should use when procuring new devices from medical device manufacturers (MDMs) to ensure each party is aware of their cybersecurity and stewardship responsibilities devices.

“Medical device cybersecurity responsibility and accountability between MDMs and HDOs is complicated by many conflicting factors, including uneven MDM capabilities and investments in cybersecurity controls built into device design and production. ; varying cybersecurity expectations among HDOs; and high costs of managing cybersecurity in the HDO operational environment throughout the lifecycle of the device,” explained the HSCC. “These factors have introduced and maintained ambiguities in cybersecurity responsibility between MDMs and HDOs that historically have been reconciled inconsistently at best in the purchase contract negotiation process, resulting in disputes downstream. and potential implications for patient safety.”

The model contract language is intended to be a reference for cooperation and coordination shared between HDOs and MDMs for security, compliance, management, operations, services and medical devices, solutions and connections managed by RMD. The goal is to help HDOs reduce the cost, complexity and time spent on the procurement process, minimize privacy and security risks, and ensure the confidentiality, integrity and availability of technologies. of HDO health.

The contractual framework is based on three of the fundamental pillars of cybersecurity: performance, maturity and product design maturity, these three pillars being subdivided into 14 fundamental principles.

Fundamentals of HSCC Model Contract Language for Medical Technology Cybersecurity

The contract states that MDMs are required to secure their products by default, enable all security features, reduce the attack surface as much as possible, and ensure that their products are free of malware and code. and unnecessary services. All products must have the following security controls as standard:

  • Network commands
  • Physical Security
  • anti-malware
  • Intrusion detection
  • Data encryption
  • Access management
  • Security patch
  • Auditing and logging
  • Protection against malicious code
  • Privilege Elevation Controls
  • Document Reference Architecture
  • Remote Access Controls

MDMs, HDOs, and group purchasing organizations are encouraged to review the standard contract language model and adopt as many as necessary for their organization. “The more uniformity and predictability the industry can achieve in cross-enterprise cybersecurity management expectations, the greater strides it will make towards patient safety and a safer and more resilient healthcare system,” the HSCC said.


Comments are closed.