HSCC Launches Model Contract Template for Healthcare Delivery Organizations and Medical Device Manufacturers

The latest Model Contract Language template has been released by the Healthcare and Public Health Sector Coordinating Council (HSCC). Healthcare delivery organizations (HDOs) are to utilize the template whenever getting new devices from medical device manufacturers (MDMs) to make sure every party knows its cybersecurity responsibilities and device management.

Medical device cybersecurity responsibility and accountability between HDOs and MDMs is challenged by different conflicting elements, which include unequal MDM capabilities and capital spent in cybersecurity control integrated into device design and development; differing objectives for cybersecurity among HDOs; and great cybersecurity management expenses in the HDO operational environment by means of the device lifecycle. These variables have brought in and sustained vagueness in cybersecurity accountability between HDOs and MDMs that in the past were reconciled at best unpredictably in the process of purchase contract negotiation, resulting in downstream disagreements and likely patient safety risks.

The Model Contract Language is to be used as a reference with regard to shared cooperation and coordination between MDMs and HDOs
for safety, compliance, control, operation, services, and MDM-monitored medical devices, solutions, and associations. The goal is to enable HDOs to minimize the cost, difficulty, and time expended in the process of contracting, lessen privacy and security threats, and protect the integrity, confidentiality, and availability of HDO healthcare systems.

The contract framework is dependent on 3 of the basic pillars of cybersecurity, which are maturity, performance, and product design maturity. These 3 pillars are further broken down into 14 key principles.

Key Principles of the HSCC Model Contract Language for Medtech Cybersecurity

The contract says that MDMs have to make their products safe by default, enable all security functions, minimize the attack surface as much as is possible, and make sure their products are without any malware and unwanted code and services. Every product must have these standard security controls:

  • Network controls
  • Anti-malware
  • Data encryption
  • Physical security
  • Intrusion detection
  • Access management
  • Security patching
  • Security against malicious code
  • Audit & logging
  • Privilege escalation controls
  • Remote access controls
  • Document reference architecture

HDOs, MDMs, and group purchasing organizations ought to evaluate the Model Contract Language template and use it as required for their company. The more standard and predictability the industry can accomplish in cross-enterprise cybersecurity management requirements, the bigger breakthroughs it will have toward patient security and a safer and stronger healthcare system.