HSCC’s Model Contract Language Template Represents a Win-Win Cybersecurity Solution for HDOs and MDMs

By: Christopher Gates

April 13, 2022

Categories: AAMI News, HTM Professionals, Medical Device Manufacturers


The relationship between medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs) has always been challenging due to a lack of fruitful communication. Never has this been more true than when it comes to medical device cybersecurity.

Fundamental differences in viewpoints, such as the relative importance of each element of the CIA triad (confidentiality, integrity, and availability), exist between MDMs and HDOs. These are the elements that secure design seeks to protect; however, if device designers have to prioritize, which element takes precedence? Where an MDM might prioritize “ICA,” the HDO may prioritize “AIC.”

Likewise, the impact of cyberattacks is not equally shared. While the HDO may be rendered inoperable for days or weeks by ransomware, the MDM may or may not receive some bad press. Conversely, the MDM could see its future revenue evaporate due to intellectual property theft, whereas the HDO might not even notice an incident has occurred.

The disconnect extends into the postmarket support being provided by the MDM in the event of an attack. Many HDOs don’t have the resources to create an internal security organization, let alone hire security analysts who have the requisite expertise and experience to assist the HDO’s lawyers in the creation of contracts between the HDO and MDM to include the ongoing cybersecurity expectations of the HDO for the supported life of a medical device.

Well, now HDOs don’t need to have that assistance with contract language for cybersecurity, as the Health Sector Coordinating Council (HSCC) has created the Model Contract Language template.

This freely available guidance allows HDOs of all sizes to include cybersecurity expectations in a legally binding document. As this template is utilized in agreements between HDOs and MDMs, it will improve the clarity, reduce the time burden, and improve the implemented level of security mitigations, as well as generally remove the confusion associated with contract negotiations over cybersecurity. It will not only serve to reduce the attack surface of an HDO but also communicate to the MDM what level of cybersecurity needs to be present in its devices in order to be competitive in the marketplace.

Photo portrait of Christopher Gates
Christopher Gates is the director of product security at Velentium. He is the principal coauthor, with Axel Wirth and Jason Smith, of Medical Device Cybersecurity for Engineers and Manufacturers, the industry’s premier textbook for designing, manufacturing, and supporting secure embedded medical devices. Gates is also the lead instructor for Mastering Embedded Cybersecurity, a three-tier training and certification program aimed at closing the industry’s cybersecurity skills gap. To learn more about the HSCC’s Model Contract Language, watch Velentium’s blog or social media for announcements about our upcoming webinar with HSCC.

For those who have never heard of HSCC, it has been designated to serve as the Sector Coordinator by the Secretary of the Department of Health & Human Services and Department of Homeland Security. It is the healthcare industry partner with the government for coordinating strategic, policy, and operational approaches to prepare for, respond to, and recover from significant cyber- and physical threats to the ability of the sector to deliver critical assets and services to the public. These threats include natural, technological, and man-made disasters and national or regional health crises.

The mission of the HSCC Cybersecurity Working Groups (CWGs) is a public-private collaboration with the HHS and other federal agencies to identify and mitigate systemic risks that affect patient safety, security, and privacy and, consequently, national confidence in the healthcare system.

HSCC performs its mission by partnering with HDOs and MDMs in an effort to look five years into the future to establish what is needed to improve cybersecurity risk. It develops recommendations, leading practices, and guidance for enterprise cybersecurity improvements, as well as advises government partners about policy and regulatory cybersecurity solutions.

Under the leadership of Greg Garcia, executive director of HSCC, the CWGs have produced excellent products, including the Joint Security Plan and Health Industry Cybersecurity Tactical Crisis Response Guide.

The initiative to create a cybersecurity contract template started with a group of HDOs (Mayo Clinic, Cleveland Clinic, Kaiser Permanente, and Froedtert) and was later added to the HSCC CWG. The CWG’s main goal was to remove the inconsistent terminology and expectations currently being used in contract language, which was believed to be the cause for ongoing confusion about responsibilities and accountability between HDOs and MDMs.

As stated in the document: “The use of the Model Contract Language provides HDOs contract terms that can be used as a standalone agreement covering HDO cybersecurity requirements for all medical devices, services, and solutions. It also can be used as an addendum to a Business Associate Agreement (BAA), Master Service Agreement (MSA), and Requests for Proposals (RFP).”

MedicalDevice_Hallway_Hospital_240996735For HDOs, use of the template can improve their cybersecurity stance by greatly reducing the attack surface. For MDMs, it can increase their ability to be competitive in the marketplace by communicating what level of cybersecurity needs to be present their devices.

The template consists of 45 clauses organized into three major groupings with 14 subgroups (“core principals”), intended for à la carte appropriation, customization, and insertion into existing HDO and MDM contract templates. Here is the template’s outline:

Performance. HDOs & MDMs should consider these principles when setting expectations around timeliness and consistency of support:

  • Vulnerability Management
  • Incident Management
  • Security Patch Validation
  • Customer Support

Product Design Maturity. HDOs & MDMs should consider these principles when setting expectations around the inherent capabilities of the product at the time of delivery:

  • Secure by Default
  • Standard Security Controls
  • Remote Access Controls

Maturity. HDOs & MDMs should consider these principles when setting expectations around capabilities and consistent practices:

  • Universal Coverage
  • Industry Standards Alignment
  • Security Development Lifecycle
  • Supplier Transparency
  • Defined Security Support Lifetimes
  • Security Patch Program
  • Responsible Data Handling

One example of the template’s content is clause 4 (Attack Surface Reduction and Hardening), which is part of the Product Design Maturity: Secure by Default group. It states the following:

“All Supplier Product cybersecurity features shall either be enabled by default or be clearly identified as requiring initial configuration. Product documentation shall specify how to enable, configure, and use all Product cybersecurity features.”

Another example is clause 44 (Vulnerability Management), which is part of the Supplier Maturity: Secure Development Lifecycle. This clause states the following:

“Supplier shall provide a complete Software Bill of Material (SBOM). For the supported life of the medical device, the supplier shall monitor for security vulnerabilities in these software components and use a risk-based approach to mitigate any severe and exploitable vulnerabilities.

“An SBOM shall contain the minimum elements as and when defined by the FDA or other industry guidance, standard, or regulation In the event the software component ceases to be actively maintained, the Supplier shall notify the Customer and either replace the software component with an actively maintained equivalent or assume active maintenance internally of the software component.

“In the event the maintainer of a software component changes to a new maintainer, the Supplier shall notify the Customer and perform through cybersecurity testing of any subsequent releases of the software component, before placing the new versions into active use.”

The text of these clauses can be used as written in the Model Contract Language template or with minor modifications as a result of negotiations between the HDO and MDM.

A happy side effect of widespread adoption of the Model Contract Language is that consistent use of this language will enable MDMs to create technical and service-based solutions that will be largely consistent across the industry. This will ultimately reduce the burden on the MDM, as opposed to adapting to comply with unique requirements from each HDO.

CWG envisions the Model Control Language template as a “living document,” implementing continual improvement of the document due to technological advancements, user feedback, and changes in HDO expectations and industry capabilities as they occur in the future.

I encourage all HDOs to download and review the Model Contract Language. I think you will be pleasantly surprised at the improvement it can bring to your future relationships with MDMs.

Christopher Gates is the director of product security at Velentium in Lafayette, CO. Email: chris.gates@velentium.com