Increasing cybersecurity threats are a major challenge facing healthcare companies, from hospitals to research facilities to medical device manufacturers (MDMs). To date, dialog between various stakeholders has been sparse, and no standards or regulations have been in place to guide MDMs and healthcare delivery organizations (HDOs) as to their cybersecurity responsibilities.
We invited top MDS security experts to join us for a panel-led seminar followed by an engaging Q&A session, specifically to discuss MC Squared (or MC2). MC2 is a new standard put forth by the Health Sector Coordinating Council (HSCC) for modeling contract language in MedTech cybersecurity. The panel was moderated by Jason Smith, Senior Strategist for Communications and Marketing at Velentium.
Speakers included:
- Greg Garcia, Executive Director of HSCC’s cybersecurity working group
- Michelle Bentley, Security Resilience Manager at Mayo Clinic
- Axel Wirth, Chief Security Strategist at MedCrypt
- Christopher Gates, Director of Product Security for Velentium
What is MC2?
The HSCC cybersecurity working group is a cross-sector healthcare coalition of device manufacturers, hospital systems, health IT companies, plans and payers, pharmaceutical companies, and public health organizations. Their joint mission is the sharing of cybersecurity information, best practices, and incident response, collaborating with government partners including Health and Human Services, the Department of Homeland Security, and other government agencies.
MC2 is a new tool designed to level-set expectations and aid contract negotiations for medical device purchasing and support between HDOs and MDMs. The goal of MC2 is to facilitate better relationships between MDMs and HDOs while improving cybersecurity outcomes in all healthcare sectors.
What are the benefits and drawbacks of adopting the MC2?
Both HDOs and MDMs stand to benefit from adopting the MC2 template to agreements in the immediate and long-term future. For HDOs, the MC2 language takes the guesswork out of asking the right security questions and creating the necessary language in agreements. While larger institutions like Mayo Clinic may have well-established contract language regarding cybersecurity, smaller organizations may not. The MC2 seeks to level the playing field, filling in the gaps of uneven distribution of cybersecurity expertise.
Adoption of the MC2 gives HDOs full awareness of what should be included in agreements, what to expect from MDMs, and how to respond to incidents. All of this reduces the amount of up-front work required before engaging with MDMs, solidifies understanding of accountability, and improves dialog and collaborative relationships.
For MDMs, benefits are similar. With uniform expectations and foreknowledge of what HDOs will ask, MDMs can reduce time, cost, and complexity associated with contract negotiations and standardize contracts and response teams, reducing staff hours and cost needed to respond to issues arising from disparate agreements. Finally, MDMs who adopt the MC2 stand to gain a competitive advantage over MDMs who do not as more and more HDOs ask for better, clearer cybersecurity standards.
How well does the MC2 harmonize with the recent flurry of new and updated MedTech cybersecurity standards and regulations?
Regulations and requirements are in a constant state of evolution, partially because threats and technology are constantly evolving. The MC2 project has kept this top of mind throughout the process of developing version one of the model contract language. For example, MC2 uses generic language like “current regulations” as opposed to specific regulatory callouts.
From the beginning, the MC2 used FDA guidance to determine its direction, jumping off originally from language in the Medical Device/Health IT Joint Security Plan (JSP). This document was released in January 2019 and was co-chaired by Mayo Clinic, Becton, Dickenson and Company, and the FDA, and was designed as guidance for MDMs in building cybersecurity into medical devices from the ground up. The FDA promotes the use of the JSP specifically for its alignment with premarket guidance. This document and the latest FDA premarket guidance document were the foundation for MC2 and will continue to inform subsequent versions of the MC2.
What are the goals and timeline for future work on the MC2?
The MC2 is very much a living document. Since healthcare procedures and technology continue to evolve and cybersecurity is an ever-changing landscape, so too will regulations and standards need to keep up. The MC2 is no exception. Over the next one to two years, the HSCC cybersecurity working group will continue to monitor feedback and usage, noting which clauses in the model contract are utilized most, which are under-utilized, and what adjustments HDOs and MDMs are making the most.
In addition, the group will stay abreast of changes to FDA requirements and regulations, new threats, and upcoming technological advancements, using all this data to inform version two, which will be drafted after an appropriate period of real-world use and reflection.
Today’s Technological Landscape
HDOs and MDMs face unprecedented challenges in today’s technological landscape, with new cybersecurity threats cropping up almost daily. All of this can be costly and detrimental to patient safety. The MC Squared model contract language document seeks to mitigate these risks and improve communication, collaboration, and accountability for all stakeholders. For more information about MC2 or the HSCC, contact Velentium today.
