Price, terms, service, warranties and fill rates have long been the stuff of contract negotiations. Now, contracting professionals are adding “cybersecurity” to the list.
“Cybersecurity concerns have heightened the importance of evaluating medical device vendors and service providers on their current and future cybersecurity management practices across the expected life of devices,” says Kent Petty, chief information officer, HealthTrust. “The avoidance of unexpected downtime, loss of functionality, or worse, harm to patients because of a cybersecurity event, makes the evaluation and negotiation of cybersecurity terms in purchasing agreements a top-of-mind focus.”
Ross Carevic, director, technology sourcing operations for Vizient Inc., says, “A recent report from Symantec indicates some threat actors appear to be fine-tuning their attack tactics to more specifically target medical devices. While the exact intent is still unknown, it shows the changing tactics of threat actors and their willingness to probe deeper into medical systems to look for potential vulnerabilities.”
What’s the problem?
It turns out that the strength of modern medical devices is also their weakness.
“The interconnected medical device is critical in today’s diagnostic and patient treatment ecosystem, as it brings automation, accuracy and improved outcomes for patients and providers,” says Petty. “Unfortunately, many of these devices lack the basic security protections we have grown to expect from other systems connected to the hospital network. This puts interconnected medical devices increasingly at risk of cyberattacks that could affect patient care, safety, or data.
“Additionally, these devices can be used as easy targets to gain a foothold into the hospital’s network to attack other non-medical systems,” he continues. “While these indirect attacks may not directly harm a patient, the disruption to operations could affect the speed, accuracy, and overall delivery of patient care.”
Examples of common cybersecurity-related risks include lack of support and/or timely release of security patches, the continued selling or use of unsupported operating systems (e.g., Microsoft Windows XP), and the overall lack of basic security controls within the device, including open services and ports that can be easily exploited by cyberattacks, says Petty.
Historically, the U.S. Food and Drug Administration has been charged with providing reasonable assurance that the benefits of a medical device or technology to patients outweigh the risks, he says. With today’s networked devices, that’s not so easy. “A medical device’s network connectivity and other cybersecurity risks adds to the device’s risk profile and complexity, and the responsibility falls to the manufacturers and providers to work together to remediate or mitigate these risks.”
Given the number of medical devices that are networked and/or contain patient data, and the potential impact on patient health and safety, cybersecurity poses a big risk to providers, says Carevic.
Common risks include default login credentials and unencrypted data storage and transfers, he says. The greater risks involve the failure to understand the medical device profile information, or the failure to identify the systems with which devices exchange information. Another risk is the failure to compile detailed device profile information of the deployed devices in advance of the next major cybersecurity exploit.
Patches
“To date, medical devices haven’t been specifically attacked that we are aware of, but they have been impacted indirectly by exploits targeting the off-the-shelf software that the devices often utilize,” says Carevic. “As an example, the WannaCry virus quickly spread across unpatched Microsoft XP operating systems. This attack highlights a big debate in the industry about the frequency of regular software patches for medical devices.”
Patching a medical device always carries some degree of risk because of its unintended impacts to device functionality, he says. “However, unpatched devices with off-the-shelf software are more vulnerable when a large virus outbreak occurs, so there needs to be a balance where patches can be tested and released on a defined schedule.”
Contracting implications
Healthcare providers can reduce their risks of cyberattack through attentive and informed contracting, according to those with whom the Journal of Healthcare Contracting (sister publication of Repertoire) spoke. But they’ll need help doing so.
“Contract negotiators, along with IT and security teams, need to coordinate their efforts during the contract review and negotiation process to better identify the supportability and longevity of the underlying operating system and third party applications that are necessary for these devices to function,” says Petty. “During the sourcing and procurement process, they need to identify those medical devices that may run unsupported or with end-of-life operating systems, such as Windows XP. Doing so will call for collaboration with vendors, clinicians, IT and cybersecurity representatives.”
Manufacturers’ role
Manufacturers can play a role in minimizing cyberattacks, says Carevic. “Suppliers can immediately help healthcare providers by acknowledging the issues and providing more information about their device designs and the proper controls that should be put in place when deploying and using their products in a safe and secure manner. Vizient is taking steps to request this type of information in new contracts and RFPs going forward, but a lot of this information can be made available from suppliers today.”
Manufacturers themselves are prepared to work with providers.
“Concerns about cybersecurity are nothing new in the medical industry,” says Chad Darling, senior product manager, EMR business development, Midmark. “Our customers primarily use various Security Risk Assessment questionnaires to understand the impact of software to their organization. With cybersecurity being an increasingly prominent topic in the industry, we’re seeing those questionnaires becoming longer and more detailed. And, more organizations are using them than what we’ve seen in the past.
“Using a Security Risk Assessment questionnaire early in the contracting process has been helpful for organizations to understand how the software functions and where patient health information is stored and transferred. This can help identify potential security concerns early on in a partnership and lead to discussions on mitigating associated risks well before they become an issue.”
Says Garrison Gomez, senior director of vitals and cardiology, Welch Allyn, “IT has a more prominent seat at the table than ever before – and for good reason: No one wants to make front-page news with a data breach. They are engaging with vendors earlier and more often to make sure the technology selected aligns with their security policies. Of course, this means the CIO must partner closely with the CNO, informatics and other medical teams to make sure clinical needs and workflows remain prioritized.
“At a minimum, [contracting professionals should] ask vendors about their methods for encryption, device access control and cybersecurity patch release policies. Understanding the opportunities and options for solutions that are both secure and offer high clinical usability should be an important aspect of the technology evaluation process for connected medical devices.”
Cybersecurity checklist
Providers and manufacturers can work together to address current and future cybersecurity-related issues for the life of the device, says Kent Petty, chief information officer, HealthTrust. Some points for contracting professionals to consider:
- Require the vendor to disclose and discuss security-related features or vulnerabilities associated with the product or service the vendor seeks to sell into the healthcare system.
- Clearly define a set of cybersecurity requirements within the contract that must be met before the device or technology is introduced in the facility, and independently validate that the vendor has met the requirements.
- Ensure contract language requires manufacturers to maintain the cybersecurity of the device (e.g., timely patching, supported operating system version, etc.) over its expected lifespan.
- Clearly define roles and responsibilities for addressing cybersecurity risks identified during the systems lifespan within the contract.
- When evaluating new products and/or vendors, include cybersecurity requirements in the scorecard to ensure they are a part of the purchase decision.
- Encourage participation in vulnerability-sharing organizations (e.g., National Health Information Sharing and Analysis Center, or NH-ISAC) to bring added visibility and crowdsourcing to cybersecurity issues in a timely manner.