New guidance aims to clarify cybersecurity roles and expectations between health delivery organizations and medical device manufacturers.
The Health Sector Coordinating Council’s (HSCC) Cybersecurity Working Group on Nov. 18 released updated guidance on model contract language for medtech cybersecurity for health care organizations and medical device manufacturers.
The resource is designed to clarify each party’s responsibilities for securing medical technology throughout its lifecycle and to align contract expectations with the current regulatory and threat environment.
The guidance notes that health delivery organizations and medical device manufacturers continue to face an escalating pace of cyberattacks, increasing the cost and complexity of delivering safe care. HSCC says cybersecurity expectations between partners are often unclear, leading to inconsistent investment in security controls, ambiguities during contract negotiations, and, in some cases, downstream safety risks.
The revised Model Contract-language for Medtech Cybersecurity Version 2 incorporates industry feedback since its initial 2022 release and reflects what HSCC describes as increasing security maturity and more aligned expectations across the sector. Updates include alignment with recent regulatory changes, clearer separation of shared responsibilities, reorganized and simplified clauses, and corrections to earlier language.
The guide highlights key terms and conditions related to storing, transferring, or accessing a health delivery organization’s information and recommends that all medical technologies, services, and networked solutions meet the organization’s compliance requirements. HSCC says it will continue reviewing and updating the resource as technology, threats, and business agreements evolve.
ID 384464587 © Ahmadrizal7373 | Dreamstime.com
