HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HSCC Releases Model Contract Template for HDOs and Medical Device Manufacturers

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published a new Model Contract Language template for healthcare delivery organizations (HDOs) to use when procuring new devices from medical device manufacturers (MDMs) to ensure each party is aware of its responsibilities for cybersecurity and device management.

“Medical device cybersecurity responsibility and accountability between MDMs and HDOs is complicated by many conflicting factors, including uneven MDM capabilities and investment in cybersecurity controls built into device design and production; varying expectations for cybersecurity among HDOs; and high cybersecurity management costs in the HDO operational environment through the device lifecycle,” explained HSCC. “These factors have introduced and sustained ambiguities in cybersecurity accountability between MDMs and HDOs that historically have been reconciled at best inconsistently in the purchase contract negotiation process, leading to downstream disputes and potential patient safety implications.”

The Model Contract Language is intended to be a reference for shared cooperation and coordination between HDOs and MDMs for security, compliance, management, operation, services, and MDM-managed medical devices, solutions, and connections. The aim is to help HDOs reduce the cost, complexity, and time spent in the contracting process, minimize privacy and security risks, and ensure the confidentiality, integrity, and availability of HDO healthcare technologies.

The contract framework is based on three of the fundamental pillars of cybersecurity: Performance, maturity, and product design maturity, with those three pillars subdivided into 14 core principles

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Core Principles of the HSCC Model Contract Language for Medtech Cybersecurity

The contract states that MDMs are required to make their products secure by default, have all security features enabled, reduce the attack surface as far as is possible, and ensure their products are free of malware and unnecessary code and services. All products are required to have the following security controls as standard:

  • Network controls
  • Physical security
  • Anti-malware
  • Intrusion detection
  • Data encryption
  • Access management
  • Security patching
  • Audit & logging
  • Protection against malicious code
  • Privilege escalation controls
  • Document reference architecture
  • Remote access controls

MDMs, HDOs, and group purchasing organizations are encouraged to review the Model Contract Language template and adopt as much of it as is necessary for their organization. “The more uniformity and predictability the sector can achieve in cross-enterprise cybersecurity management expectations, the greater strides it will make toward patient safety and a more secure and resilient healthcare system,” said HSCC.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.