The Health Sector Coordinating Council's Cybersecurity Working Group released best practices guidance on November 18th that includes updated cybersecurity model contract language for health care organizations and medical device manufacturers to address security, compliance, and operational requirements for medical technology in clinical settings.
The Health Sector Coordinating Council's Cybersecurity Working Group published guidance on November 18, 2025, providing a best practices guide for health care organizations and medical device manufacturers. The guide includes an updated cybersecurity model contract that addresses the security, compliance, management, operation and services of medical technology used in clinical settings. The guidance emphasizes security terms and conditions for storing, transferring, or accessing health care organization information. It recommends that all network access, medical products, services, and solutions meet the organization's compliance requirements.
John Riggi, AHA national advisor for cybersecurity and risk, stated that medical device cybersecurity is a shared responsibility between health care delivery organizations and medical device manufacturers. He highlighted the importance of hospitals and health systems working with manufacturers to establish realistic, contractual cybersecurity requirements that help mitigate cyber risks originating from insecure medical devices and technologies. Riggi noted that resiliency and redundancy requirements should be included to help ensure uninterrupted, safe, and quality care delivery during a cyberattack. He called the guide an excellent resource for hospitals and health systems to develop and enhance medical device contract language and ensure purchased medical devices and technology are secure by design and demand.
Medical devices connected to hospital networks represent a vulnerability in healthcare cybersecurity infrastructure. Unlike traditional IT systems, medical devices often have longer lifecycles, may lack regular security updates, and can provide threat actors with entry points into broader hospital networks. This guidance addresses a gap by providing healthcare organizations with specific contractual language to hold manufacturers accountable for device security throughout the product lifecycle. The emphasis on resiliency and redundancy is needed, given that cyberattacks on healthcare facilities can directly impact patient care delivery. By establishing clear security expectations before procurement, hospitals can proactively reduce their attack surface rather than attempting to secure devices after deployment.
Healthcare organizations should review and incorporate this updated model contract language when negotiating agreements with medical device manufacturers. The shared responsibility model requires both parties to actively participate in securing medical technology, making clear contractual obligations essential for protecting patient data and ensuring continuity of care during cyber incidents.
No, the guidance provides recommended language, but legal enforceability depends on negotiation and agreement between parties.
It is intended for network-connected devices, but organizations may adapt principles for other medical technologies.
Contracts should be reviewed periodically, ideally with each new procurement or device lifecycle update.
Yes, the guidance is flexible and can be tailored to align with organizational cybersecurity and compliance standards.
The guidance applies to all manufacturers, though smaller organizations may need phased approaches or risk-based adjustments.