The Internet of Medical Things (IoMT) consists of networked medical devices and other mobile health technologies that have the potential to be revolutionary in the healthcare industry — allowing healthcare delivery organizations (HDOs) to improve the quality of patient care. Many HDOs, however, fail to clearly assign liability of risk during the medical device assessment stage of procurement. This can lead to privacy and safety issues, with devices that have the potential to expose patients and HDOs to unknown cybersecurity risks, including ransomware and vulnerabilities to unauthorized access. As information technology (IT) and operational technology (OT) convergence and medical devices become further interconnected, patient safety becomes an even larger concern as any compromise to the IoMT ecosystem can lead to, in the worst case scenario, patient injury or death. 

How Can HDOs & MDMs Combat Cyber Risk?

Today, healthcare delivery organizations and medical device manufacturers (MDMs) have been challenged with the unrelenting pace of cyberthreats — leading to the disruption of safe and effective patient care. The partnership between HDOs and MDMs can be complicated, and the cybersecurity requirements are often unclear. That’s because the responsibility and accountability of medical device cybersecurity can be misunderstood by the two parties, typically due to the following factors: 

• Uneven MDM capabilities and investment in cybersecurity controls built into device design and production

• Varying expectations for cybersecurity among HDOs

• High cybersecurity management costs in the HDO operational environment throughout the device lifecycle

These factors have led the Healthcare and Public Health Sector (HHS) to create Model Contract-Language for Medtech Cybersecurity (MC2). MC2 is a reference document that suggests cybersecurity terms and conditions of medical device procurements and servicing between HDOs and MDMs — allowing for alignment to existing standards, simplification of cybersecurity requirements, and scalable cybersecurity best practices. The framework of MC2 includes 14 core principles and over 50 pre-negotiated clauses aligned with industry standards and best practices to address the security safeguards of a medical device in a healthcare environment.

This framework represents a groundbreaking joint effort between MDMs, HDOs, and Group Purchasing Organizations (GPOs) to collaboratively ensure patient safety. The recommended language is intended to approximate the most commonly used cybersecurity contract terms and conditions between HDOs and MDMs that can be used as a starting place “The Middle”,  a “Shared Risk Position”, that has already been negotiated and agreed upon by some of the most prestigious organizations in the industry. With this Model Contract Language, HDOs and MDMs can minimize security risks and ensure the confidentiality, integrity, and availability (CIA) of healthcare technologies, infrastructure, and information. MC2 protects HDOs and their patients against cyberthreats and risks through the establishment and maintenance of appropriate security contract terms and commitments, including requirements for HDOs and MDMs to reduce the risk of exposure. This framework will not only allow HDOs and MDMs to agree on cybersecurity contractual terms and conditions to reduce cost, complexity, and time in the contracting process, but will also greatly improve patient safety. 

Where to Begin

The devices HDOs rely on have inherent software vulnerabilities, which brings risk. That’s why the MC2 framework has established clauses to address the core principles of vulnerability and risk management. In a healthcare environment, it can be difficult to prioritize critical vulnerabilities, obtain a complete picture of every device affected by a new or emerging threat, and take the right course of action to mitigate risks. Medigate by Claroty provides a clear picture of the attack surface created by all the devices connected to the clinical network, orchestrating strategies that allow HDOs to quickly prioritize risks created by connected endpoints to optimize device availability and reduce risk. With complete and detailed device reports, HDOs and MDMs can understand associated device vulnerability risk, and when a new vulnerability is published, they can work to remediate it. Medigate also provides recommendations for clinically-aware fixes and patches for IoT and IoMT devices to best address risks. 

Every medical device is made up of software with vulnerabilities, and every organization struggles with what to do about them, including HDOs and MDMs. MC2 was designed to alleviate this challenge by facilitating better relationships between HDOs and MDMs, while improving cybersecurity outcomes. The adoption of MC2 will help solidify understanding of accountability and encourage open dialog and collaborative relations. By following this framework, and with the help of a purpose-built cyber-physical systems (CPS) security tool, like Medigate, HDOs and MDMs can improve patient safety, while reducing complexity and costs of the contract process.