Updated contract language template tackles medtech security blind spots

The relationship between healthcare organizations and medical device manufacturers is complex, and establishing responsibility and accountability for the security of medical devices has long been a pain point in healthcare. The Health Sector Coordinating Council, or HSCC, aimed to alleviate this problem in 2022 by releasing model contract language that healthcare organizations can use to enhance coordination and cooperation.

In November 2025, the HSCC updated this guidance to improve clarity and reflect industry changes. Version two incorporates feedback that HSCC received from version one and expands the content to align with the industry's increasing security maturity and changes in the regulatory environment.

Despite enhancements in medical device cybersecurity and improved communication between manufacturers and healthcare organizations, the industry is still struggling with managing the cybersecurity of medical devices throughout their lifecycles.

"The unrelenting pace of cyberattacks has created an increasingly expensive and resource intensive environment for delivering safe and effective care," HSCC noted.

"In today's partnership between [healthcare organizations] and [medical device manufacturers], cybersecurity requirements are often unclear, resulting in a lack of understanding and prioritization of cybersecurity best practices."

This environment leads to "an investment in security controls that are not always aligned between stakeholders," HSCC suggested.

The initial contract language resulted from a task group made up of 50 healthcare organizations, medical device manufacturers and security and compliance specialists. These stakeholders recognized the inconsistencies in contract language throughout the industry, which resulted in misunderstandings surrounding cybersecurity responsibility.

The model contract language is intended to be referenced during contract negotiations as an example of the most common cybersecurity contract terms and conditions. It is essentially a pre-negotiated contract designed to be scalable across a variety of organizational sizes and specific security needs.

The model contract language framework is still organized into three pillars: maturity, product design maturity and performance. Within the pillars, there are contract clauses that are organized into 14 core principles.

As healthcare organizations and manufacturers work to improve their coordination, this contract language can help to clarify shared responsibilities and establish expectations for each party.

The task group reconvened following industry feedback and refined the document to further reduce ambiguity between manufacturers and healthcare organizations.

"The end result is a simplification of the contracting process -- more predictable and less costly and time-consuming," HSCC stated.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.