AAMI News April 2016

Mayo Clinic Emphasizes Security with Device Vendors

Two years ago, the Mayo Clinic in Rochester, MN, took a giant step toward improving its security protocols by developing technology and security requirement language for its contracts with vendors of medical devices and healthcare technology.

Mayo Clinic“When we started reviewing and testing devices, we found issues that needed to be taken care of by the device manufacturers, and our current language didn’t spell out our expectations,” said Kevin McDonald, Mayo’s director of clinical information security. “We have found that including specific contract language is a good tool for setting security standards, and it is helpful in educating and promoting partnerships with vendors.”

Mayo’s move might be seen as prescient given the raft of data breaches in healthcare systems around the world during the past year. In February, a California hospital paid to regain control of its computer systems after a malware attack. Hospitals in Germany have also reported such ransomware attacks.

The language Mayo developed includes an affirmation from the vendor that it has established and maintained a comprehensive written security program in line with industry standards. This program should identify and assess external risks to the vendor’s products, including servers and software, as well as set limits on physical access to products and establish limits on the amount of data collected—and how long it is stored.

Vendor reaction to Mayo’s move was mixed, McDonald recalled, with some more understanding than others.

“Some vendors have been surprised, confused, and initially what might be described as angry,” he said. “Other vendors have found our language is very similar to what they use with their own technology vendors, understand our concern, and work with us to have a good outcome to meet our requirements.”

McDonald acknowledged that although cybersecurity is an increasingly important challenge for healthcare delivery organizations to tackle, many facilities aren’t sure where to start.

“Healthcare organizations traditionally have been very trusting and open and many times don’t seem to understand the changes in the world and how to meet them,” McDonald said. “Many of the larger hospitals are working hard to address cybersecurity threats and making good strides, but healthcare is a tough business to be in, and I believe smaller institutions are having a very hard time.”

To help other facilities, McDonald shared Mayo’s contract language in the January/February issue of BI&T, which is available to AAMI members at www.aami.org/bit.