Endpoint/Device Security

Security should be funded in contracts with vendors to bolster medical device security

Paramedics prepare a patient for transport in the intensive care unit aboard the hospital ship USNS Comfort (T-AH 20). (U.S. Navy photo by Mass Communication Specialist 2nd Class Sara Eshleman)

The medical device contracting process has historically focused on keeping the upfront costs as low as possible for both the manufacturer and the healthcare delivery organization. But recently shared guidance from the Healthcare and Public Health Sector Coordinating Council (HSCC) aims to move away from that model.

During a recent webcast, HSCC Cybersecurity Executive Director Greg Garcia said the guide is directed at lower resourced provider organizations struggling to keep pace, to ensure entities know and utilize the appropriate language in contracts to protect the enterprise.

Typically the purchasing process worked to minimize the cost to allow the entity to buy as much as possible, allowing the manufacturer to build cheap for maximum profit, Axl Wirth, MedCrypt chief security strategist explained. 

“If you look at security, that is a very foolish approach,” said Wirth. “In security, there is a lot to be gained if you invest early on in the design of a device, which saves a lot of money later on, for the side of the operator of the device.”

“So if you just look at the purchase price, you got a problem because you are trying to push the price to the lowest possible point, therefore, you maximize the post market cost of security,” he continued. “I think we, collectively as an industry, need to change our attitude, and need to realize that any penny spent as early as possible in cybersecurity, saves dollars later.” 

The insights are more about dialogue, ensuring “the device manufacturers and the buying healthcare organizations pull on the same string,” said Wirth.

Notably, a lot of the specific discussion around critical needs was driven heavily by manufacturers, demonstrating buy-in and the need for the guidance, explained Michelle Bentley, security resilience manager for the Mayo Clinic.

In Bentley’s experience at Mayo, the most opportune time to talk about cybersecurity was during the point of purchasing, examining the contract on its own or as part of the master service or business associate agreement.

But “each and every contract took extensive time, and negotiation, depending upon how the devices were built, what they were intended for, and the intent of the healthcare delivery organization’s usage,” she explained.

Said Bentley: “If it's taking us this much time, and we have FDA guidance, and we have HL7, we have NIST, then why are all these organizations having to go through that themselves as well?” Not to mention the duplicative nature of the process.

Leveraging those past experiences, the HSCC worked alongside industry work groups, the Health-ISAC, and other healthcare peers to find commonalities between the contract language to produce a document able to be used by all entities as a starting point for ensuring the security of medical devices.

“One of the myths out there [is that] everybody's going to be secure,” said Garcia, who previously served as the director of the Financial Services Sector Coordinating Council and as the Department of Homeland Security assistant secretary of cyber security and communications. It’s the idea that an entity can leverage an insecure medical device because they have a secure network. The “codifying of these templates really helps” to dispel these myths and support those that need it the most.

Wirth added that it standardizes a core set of cybersecurity requirements, both technical and procedural, standardizing “a good deal of the relationship between the device manufacturer or distributor and the buying healthcare organization that makes life easier. 

“Every situation is unique. Every risk profile is unique. But, again, getting the solid stake in the around and getting something established, at least in its core, is extremely valuable,” said Wirth.

The guidance should be seen as a draft, a living document that can adapt to changing standards and services, while addressing the rapidly evolving healthcare infrastructure. As things become more interconnected and moving away from the traditional hospital setting, the guide will need to be tailored to address those elements in the future, he added.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.