Jonathan Bagnall_October Cyber Awareness Month Podcast Series: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Saul Marquez:
Hey everybody! Saul Marquez here with the Outcomes Rocket and welcome back to the series on cybersecurity for October Cybersecurity Awareness Month. So privileged to be joined by the outstanding Doctor Jonathan Bagnall, he’s a cybersecurity global market leader, product security and services for Philips Healthcare, and his position as cybersecurity global market leader, he oversees the communications and client-facing support for all products and services, education, global outreach, awareness, and partnerships encompassing critical internal and external stakeholders, clients and industry Cybersecurity engagements. Dr. Bagnall received his PhD in technology and cybersecurity and has been an incredible contributor to the work that we’re covering here as part of the series with the Healthcare Public Health Sector Coordinating Council. And on today’s series, we are going to be covering a critical element of the work specific to contracting and contracting for cybersecurity. Don’t sell me a lemon with a virus, is how he tagged it. So love the opportunity to chat with Dr. Bagnall today, Jonathan welcome.
Jonathan Bagnall:
Saul, thank you for the invite, and thanks to everyone that’s put this together. I appreciate the opportunity to speak.
Saul Marquez:
Absolutely, and you know, the, and folks, for those of you that don’t know the document, it’s the Model Contract Language for Medtech Security, it is a 44-page document intended to be a template for you and your business to, and your organization to contract for safety and cybersecurity. We’re going to cover a lot here today with Jonathan. But to kick things off, tell us a little bit about how this group formed and what the motivation behind developing the contract language was.
Jonathan Bagnall:
Well, Saul, I think it started back with H-ISAC, a group of healthcare delivery organizations got together and started to formulate what were the requirements for security for their medical devices and solutions. And they identified that contract language was primary to enable them the level of confidence that manufacturers were delivering secure products and that they would manage and maintain those secure products throughout the expected life of those products to so, to establish and to set the precedents of what would be expected, along with cybersecurity in the partnership between manufacturers and healthcare delivery organizations. I’ll add to that, so.
Saul Marquez:
Please!
Jonathan Bagnall:
As I understand it, it was in San Diego. I think that’s where you’re from, and don’t check my facts, but somewhere around three years ago that the healthcare delivery organizations, there were some primaries that I’ll name, it’s not all of them, but it would have been a consortium between Kaiser Permanente, Geisinger, as well as Mayo Clinic, those are the three primaries that I remember. And they presented a framework of how contract language in agreement should be established, focused primarily on cybersecurity. And it was through that introductory that it was, I guess, recommended that that should be brought to a broader industry. So it shouldn’t be just the HDOs developing this, but a consortium of the industry and the Health Sector Coordinating Committee jumped in and we created this working group. I don’t know how many were in it, it was 15 to 20 folks representing the industries in healthcare and medical device manufacturing. It was inclusive of group purchasing organizations, I think Premier was in there, absolutely they were in there, so it was quite an interesting collaboration. I will say that I learned a lot, I experienced a lot, and mostly I had fun. And I would also say that we were able to accomplish what we did in 24 months. It was mind-blowing and it took a lot of compromise between all of those that were contributing and working to put this together.
Saul Marquez:
Well, congratulations, first of all, on that accomplishment, to get that sort of alignment amongst such a complex group of stakeholders, you know, the delivery organizations, the medical device manufacturers, the, you mentioned the group purchasing organizations, all of these stakeholders to have ironed this out in really relatively short time, is no small feat, so kudos to you guys for doing that. Why would you say it’s important to establish this cybersecurity contract language between these stakeholders?
Jonathan Bagnall:
Well, on the onset, the importance of developing trust between the partners and the industry, I think was paramount. And when we establish a set of rules and guidelines in a way that builds that trust and confidence in, as well as the progression of cybersecurity, cybersecurity is not a point in time, it’s a continuous cycle, and that cycle is to progress and build and establish and mature in security controls to make sure that environments are secure and also devices and solutions maintain secure. I’ll also add to that, when we think about medical devices, we think of one component, a piece of machinery, but actually, medical devices are part of a greater solution, and in many cases medical devices are microtechnologies. So when we think of an MR system or a CT system or an ultrasound system, we just think of this piece of equipment, but actually, some of these pieces of equipment have servers on the back end, they have desktops, they have monitoring systems. On top of that, they are built and engineered in today’s innovation, innovative world to operate with many things within healthcare and solutions, so they are very complex. And I’ll also say that the manufacturers, the solution providers really have the intel on these devices. They know how they’re engineered, they know how security is designed, and also they share a great responsibility in maintaining the ability to secure these solutions throughout their life, it is not all on the healthcare delivery organization. Because we coin these devices as IOT in medical technology, really, what that signifies is that there are limitations on what a healthcare delivery organization can do to secure this device, and in many instances, let’s put it that way, they can’t because their medical devices, their medical solutions, they’re regulated. It is, it’s, it brings about a complexity that they cannot address security in a standard way that they would approach their information technology infrastructure and their operational technology infrastructure. So there are many nuances with medical devices that really require manufacturers to continuously address security vulnerabilities and uphold the highest level of standards within those devices to make sure that, number one, that they are not a threat to cybersecurity, but number two, that they maintain the highest level of availability so that our healthcare delivery organization, partners, can focus on what their primary job is and what their primary role is and mission, which is to take care of patients. So manufacturers are stakeholders in this industry. And if you look at the construct of the contract language, really that’s how it was developed. It was developed in partnership and it was developed with the understanding that these are base requirements when you’re trying to establish that partnership. And as part of the framework of this model contract language, what is built into the clauses, is the opportunity for the healthcare delivery organizations and the manufacturers to develop a roadmap to get to the level of compliance that’s required to assure that cybersecurity is maintained, is designed and continues to be maintained and is in place throughout the life of the product. I’d also say that no man of, every manufacturer is not the same, every healthcare delivery organization is not the same. Manufacturers develop in different ways, but their focus should be on a standardization of controls and as well as healthcare delivery or delivery organizations, they have different tools, they have different sizes of organizations, certain levels of proficiencies. And of course, as we all know on both sides, resources are of high demand these days. So to develop that partnership and to make those types of commitments through contract language is paramount to that level of trust that we are trying to establish and build between the partners within the industry.
Saul Marquez:
Now that’s fantastic, thanks for that context, Dr. Bagnall. And you know, we had a good chat, you had mentioned health ISAC, we had Errol Weiss on the podcast and he shared some of the major problems that have been happening with malware, ransomware, and there’s just so many risks that we have to be mindful of these things. And I love that you refer to this contract language also as a roadmap, a roadmap that could guide all of the organizations and companies listening to this to get there. By the way, folks, I want to mention, if you go into the show notes of our podcast today, you’re going to find a link to that Model Contract Language for MedTech Cybersecurity that we’re chatting about today, so take advantage of that resource. It is readily available to you. And that’s why we’re doing this, to make sure that that this is front and center for folks that could benefit from this. Jonathan, how is contract language going to make medical devices more secure?
Jonathan Bagnall:
Well, it sets the level of requirements put on a manufacturer from the healthcare delivery organization and those, the clauses that were developed and published, they fall into a framework which brings about the understanding of need. The framework has pillars, and those three main pillars are the performance, maturity, and the product design maturity. All right, so if we think about, and within the framework, there are 14 core principles, but if we think about the framework, performance is the understanding of what’s in the product today and what those requirements are specific to vulnerability management, incident management, security patching, and as well as customer support or the support of the product. When we think about maturity, it’s where the devices should be today and the level of maturity and specific to industry standards and security controls, as well as security development and the lifecycle. But more specifically important, it’s about maturity of supply and transparency. So when you think about the language as it sits now, the 45 clauses, that’s the time in the usage of these clauses when developing that partnership and trust with a manufacturer is, that’s when supply of transparency comes about. It’s the time to go through these clauses and bring about the understanding to the customer, the healthcare delivery goes, yes, I can meet this clause, yes, I’m doing this, yes, I can meet this requirement going through it. 40-45 clauses seems like a lot, but it really holistically covers what should be in place from a manufacturer to build secure devices, to maintain secure devices, and to manage secure devices. Going back to transparency, it’s, many of the clauses call for open communications between the manufacturer and the healthcare delivery organization, because, as we said, there’s a partnership. Manufacturer has to deliver, maintain the security of a device, but a healthcare delivery organization also has a part in maintaining that device. They have a part in building out security parameters. They have a part in updating and maintaining devices and in many cases, securing those devices through delivery of security patches. Security, medical devices are not all the same. As I tried to say upfront, if I was to characterize there are software-only medical devices, there are how do we say on-premise medical devices, there are hybrid devices where some of the device, parts of the device and the solution is in a cloud, part of the device is on-premise. There are also devices that would be 100% maintained by a manufacturer. And there are hybrid situations where there is a requirement for the healthcare delivery organization to maintain a portion of that device, be it the server, the platform, the technology, the infrastructure, infrastructure, they have to maintain physical protection of devices. So not to get too deep, but it is a true partnership. And unless there’s open dialogue in the security of devices, in many cases, if a manufacturer finds a vulnerability in the device, they need to have, they need to communicate that to the healthcare delivery organizations, and that needs to be established and understood and that, the contract language creates that precedence across the board. For the most part, for a first pass in developing the Model Contract Language, I think we covered a lot of it and the healthcare delivery organizations that established the need and developed the framework and also participated into what was the end document, we owe a lot of credit to them. And why is that? Because those organizations, the healthcare delivery organizations I worked or have worked directly with, they have established processes, they had, they have established contract language and give them credit that they got together and they said, well, let’s be, let’s establish a model set of language. And I will tell you that part of their motivation was that they wanted to streamline the process of review and negotiation when they’re working with manufacturers. So why not do this up front in a working group? And throughout the process.
Saul Marquez:
It’s a great idea.
Jonathan Bagnall:
It was. There became understanding of what the language as written was presenting and what, how a manufacturer develops, how a manufacturer supports, how a manufacturer delivers maintenance to a product. And so there was a lot of compromise and there was a lot of understanding of how the two industries manage their requirements around medical devices. So the end result was a synchronization of language that is very useful within the market today. And I personally have already seen the benefits and results of that through those that have already utilized the language, because it’s been very quick because I understand the language, I understand what’s represented by the healthcare delivery organization and I understand what’s required of me and my company because I’ve already worked this out. So if we were looking at what the benefits are, that would be number one, that there has been some understanding between the industries from, through the development of the clauses, and secondly.
Saul Marquez:
You know, and Jonathan, I actually want one thing too, is, you know, from a legal team perspective to R&D and engineering, right? I feel like this could be a nice roadmap for folks to consider.
Jonathan Bagnall:
Well, absolutely, and there is, there’s always a challenge with the legal community and those within our organizations that don’t specify, they don’t have a specific, I’ll say, experience within security. So they don’t understand the language, they don’t understand what it means, and they always need the help of the security folks within their organizations on both sides to say, well, this is what it means or this is what I need. So to have established sets of clauses, yes, would, greatly brings to the table a set of agreed-upon language between the industries. Now, I’d also state that the way that the clauses are written out, it’s not a one size fits all, as I said upfront, there are variables within solutions, there are variables within the way manufacturers support those solutions. So what’s built into that, into the contract clauses is that understanding that if you can’t meet these requirements today, okay, within the clause, when can you meet them? Can you do it in 90 days, one year? Can we come up with an agreement that when you will reach this level of maturity? So I think that was a great accomplishment too, because we, as an industry, we don’t want to stifle innovation at any level. So we don’t want to stifle a small manufacturing company for, from innovating something new, and that would be a great benefit to our patients.
Saul Marquez:
And so I think we’ve covered a good amount of this, but let’s hammer it home. What would you say is the incentive for other device manufacturers and health delivery organizations to use this?
Jonathan Bagnall:
I think, well, the incentive is that it’s established from a consortium of industry stakeholders, as well as it’s a minimal set of language. It’s very concise and it delivers the primary levels of requirements to build the trust between the two partners, being the medical device manufacturer and the healthcare delivery organization. It is it establishes the starting point.
Saul Marquez:
And how do we standardize this?
Jonathan Bagnall:
Well, we, well, that’s a good question. So it’s not something that we picked out of the sky. We established the language based on industry security controls that are already in place. So in this state, 853 would be one, HIPAA regulations would be others. I would also note the FDA pre and post-market guidelines relative to cybersecurity. So with your question, which was very good, is that we didn’t try to build something net new. We aligned the requirements based on what is already established and already matured, and I only named a few. There were other industry controls which healthcare has adapted that are also noted throughout the clauses. So where it was appropriate, we didn’t define the controls down to the detail level, we rather defined the alignment to the control and control family saying this state, 853, because controls, security controls are continuously changing, they’re continuously updated and both manufacturers and healthcare delivery organizations that promote progressive improving security programs should be aligned to these updates to controls, and they should be adapting to them.
Saul Marquez:
That’s fantastic, Dr. Bagnall, and great that these existing standards were referenced because they’re ever-changing, and so a great opportunity to attach this to an ever-evolving field, but giving people the tools that they can use today to be able to get that safety that they’re looking for while not stifling innovation like you said, which is critical. Well, look, I want to congratulate you for the work that you and the team have done. What’s next for this contract language? And does the working group have future ambitions?
Jonathan Bagnall:
We absolutely do. This was a first pass and very amazed at what we accomplished in a short period of time. And it is on our schedules to review what we accomplished and look for opportunities to improve it. There were many involved in the review of what we published this time. And in that review, we identified areas of improvement and we’ll be focused on those. And as well as anyone that’s utilizing the language, we would like input from them. Within the Health Sector Coordinating Committee website where you can download this document. I think there’s areas where you can email or provide your input as to what would make it better for the industry to use. I’d also, I’d like to end, I don’t think I mentioned that, giving again a lot of respect to the healthcare delivery organizations that worked on this. One of their primary goals was to bring about these tools to medium and lower-sized healthcare delivery organizations that don’t have the capacity to write this language, to build out this language. And I think it’s really a great way to provision to healthcare delivery as a whole, and we continue to do that. This is not the only working group that does that. There’s a lot of stuff going on in the industry where we’re trying to promote initiatives relative to cybersecurity.
Saul Marquez:
That’s great, Jonathan. And folks, a quick pause here to welcome your feedback. You know, if you have used this before, we want to hear from you. We want to understand where was it useful, what could be better. There is a part two that Dr. Bagnall and team have done on this. So why don’t you get what you need out of it and share your feedback? We’re going to be posting these episodes, obviously on our website, our podcast channel, as you guys always hear us, but also on LinkedIn. So when we do post something on LinkedIn, chat in the comments below and give us your perspective on if you’ve used it, if you haven’t, if you’re about to, because your feedback matters a lot. Thought leaders like Jonathan and team that are engaged in this depend on that type of feedback to make it even better. So with that being said, Dr. Bagnall, I want to say thank you. Where can people learn more about you and where can they follow your work?
Jonathan Bagnall:
They can reach me on LinkedIn. I will, and I have been always, have a presence at HIMSS, and as well, I’m open to develop dialogue with just about anybody, there’s always an opportunity to learn, and that’s how I positioned myself. So listening to input from others only makes myself a better person.
Saul Marquez:
I love it. Take advantage of that, folks. Connect with Jonathan, and again, make sure you stick with us through this entire series because it is jam-packed with value. Appreciate you guys tuning in and looking forward to catch you on the next one. Thanks, Dr. Bagnall.
Jonathan Bagnall:
Thanks, Saul.
Sonix has many features that you’d love including secure transcription and file storage, automated translation, enterprise-grade admin tools, collaboration tools, and easily transcribe your Zoom meetings. Try Sonix for free today.
