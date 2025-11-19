The Health Sector Coordinating Council’s Cybersecurity Working Group Nov. 18 released a best practices guide for health care organizations and medical device manufacturers that includes an updated cybersecurity model contract regarding the security, compliance, management, operation and services of medical technology in clinical settings. The guidance highlights security terms and conditions for storing, transferring or accessing a health care organization’s information. It also recommends that all network access, medical products, services and solutions satisfy the organization’s compliance requirements.

“Medical device cybersecurity is a shared responsibility between health care delivery organizations and MDMs,” said John Riggi, AHA national advisor for cybersecurity and risk. “It is extremely important for hospitals and health systems to work with MDMs to set realistic, contractual cybersecurity requirements that will help mitigate cyber risks that may originate from insecure medical devices and technologies. Resiliency and redundancy requirements should also be added to help ensure uninterrupted, safe and quality care delivery during a cyberattack. This guide is an excellent resource for hospitals and health systems to develop and enhance medical device contract language and ensure the medical devices and technology we purchase are secure by design and demand.”

For more information on this or other cyber and risk issues, contact Riggi at jriggi@aha.org. For the latest cyber and risk resources and threat intelligence, visit aha.org/cybersecurity.