By Phil Englert
Your organization’s third-party biomedical services agreement is coming up for renewal. You’ve been asked to develop a strategy to include cybersecurity of medical technology in the agreement. Outsourcing maintenance and cybersecurity functions for medical technology to a third party is a significant decision that requires careful planning and contract negotiation. What will the objectives be? How will the agreement be structured to meet your organization’s objectives? This column looks at the challenges of contracting with a third party for cybersecurity of medical devices (also applies to other IoT and OT technologies) and the clauses that can help formulate a successful partnership.
The diverse medical device technologies present in a health care environment enables amazing patient care diagnostic and therapeutic capabilities. At the same time, this diversity in purpose and underlying technologies creates an enormous maintenance operations challenge. Some medical devices such as ECG carts are standalone devices. Others, like anesthesia carts are multiple devices (anesthetic agent delivery and monitoring) in a single device. While others, like patient monitors, are part of an extensive system of endpoints that can include monitors, workstations, access points and servers. Developing contract clauses that adequately represent the specific requirements across the spectrum of technologies can be overwhelming.
The key is to successfully engage a third party to help manage and reduce the cybersecurity risks of your medical device population is to understand that they cannot be all things to all devices. They, like you, are dependent upon, and limited by, the cybersecurity support provided by the equipment manufacturers. Older technologies, often called legacy devices, may not be supported at all. Service level agreements of traditional IT technologies are not practical for regulated medical devices because of the testing that must be done to ensure the patch or update does not alter the essential clinical performance or create a safety risk.
I recommend a risk impact approach that considers how cyber incidents in medical devices may impact clinical operations. The components of this clinical impact assessment may include the traditional biomedical engineering life safety score, the acuity setting where the device is located, the presence of protected health information (PHI) and large PHI (500+) records, care delivery impact, lateral network access, financial impact and reputational impact. These eight data points can, for the most part, be assessed and assigned on a modality level and inform organizational prioritization at all levels including capital replacement, risk mitigation, monitoring and response activities.
To ensure risk reduction over time, you should include various clauses in the outsourcing contract that address key concerns, obligations and responsibilities.
Here are some important clauses to consider:
- Scope of Services: Detail the specific medical devices and equipment covered by the agreement. This should include a comprehensive list of equipment and their unique identification numbers or serial numbers. Include a commitment to share this information with IT and to have the asset management systems (CMMS and CCMDB) correlated so the same asset is easily recognizable in either system. Set timelines for achieving asset correlation and work towards automation.
- Service Responsibilities: Outline the maintenance and service tasks to be performed, including preventive maintenance, calibration, repairs, inspections, any required software updates and patches. It may be necessary to add an appendix outlining these schedules at the modality or make/model level. A large health care organization may have more than 1,000 different models of equipment and specifying the periodicity of the many maintenance activities, especially patching and updating, is essential to managing risks and improving uptime availability.
- Service Levels and Response Times: Define the expected service levels, including response times for different types of equipment issues. Specify whether there are different response times for critical and non-critical devices.
- Risk Management: Detail how risks will be identified, assessed and mitigated, including specific steps for managing cybersecurity threats and vulnerabilities. Specify whether the third party will have access to and utilize your network monitoring tools including passive monitoring technologies to track asset presence, communications activity, associated vulnerabilities and provide an asset level risk score. Identify what strategies the third party is expected to engage to manage the cyber risks associated with medical technologies.
- Responsibilities of Both Parties: Clearly articulate the roles, responsibilities and obligations of both your organization and the third party, making sure it aligns with your risk management strategy. Managing cyber risks is a shared responsibility requiring expertise from a variety of skills including networking, identity and access management, the clinical users, back up teams, vendors and healthcare technology management teams. Use a responsibility assignment matrix to map out and identify which parties are responsible for which tasks so there is not confusion during normal operations or events.
It is crucial to involve legal counsel and relevant department heads within the hospital when drafting or reviewing such an agreement to ensure that it aligns with the hospital’s specific needs and compliance requirements. The clauses listed above are by no means complete but provide key points to consider and include as you map out your third-party medical device cybersecurity relationship. Regularly reviewing and updating the agreement is also essential to adapt to changes in medical device technology, regulations and hospital needs.
Phil Englert is the director of medical device security for Health-ISAC.
