After recently incorporating new cybersecurity language into new contracts being negotiated for PACS and imaging devices, Penn State Health found that many vendors were unwilling to agree to requirements such as having cyber insurance or undergoing an annual third-party audit for compliance with data protection standards. Negotiations over cybersecurity provisions added an average of three months to the contracting process, according to presenter Dr. Jonelle Petscavage-Thomas.
"Your team should be aware that if you have a targeted go-live and you're going to include this language, expect that go-live to be pushed back a few months because you're going to have to get through this," she said. "It's not going to be quick."
A growing threat
Cybersecurity is a hot topic. There was a 63% increase in cyberattacks on healthcare targets in 2016, and in 2014, the U.S. Federal Bureau of Investigation (FBI) reported that at least 375 healthcare-related organizations had been seriously breached, Petscavage-Thomas said.
These large breaches are publicly reported and can negatively impact a hospital's reputation, she said. What's more, these breaches are extremely expensive and labor-intensive to remedy the loss of protected health information (PHI).
Earlier this month, the WannaCry ransomware hit more than 150 countries and affected radiological systems as well as medical devices. Some medical device vendors were refusing to accept patches because they didn't know if their devices would continue to work after the patches were applied, Petscavage-Thomas said.
Notably, 7% of cybersecurity breaches occur from radiology software. In response, the National Electrical Manufacturers Association (NEMA) published a white paper on cybersecurity for medical imaging in 2015.
Petscavage-Thomas said, however, that it's the healthcare organization's responsibility to ensure a vendor is meeting an institution's cybersecurity requirements. Accordingly, cybersecurity language is increasingly being placed into new contracts and worked through legal channels, she said.
"However, there is no standardized language, and it varies from very simple to more complex," she said. "Vendors may be unfamiliar with this language -- it's just being introduced."
The Penn Health researchers hypothesized that this could result in an increased length of time to complete the contracting process.
"You may work with a vendor who is unwilling to acquiesce to your requirements, and you may have to part ways with that vendor and do a new search and find a new vendor," she said. "Additionally, you may have a vendor who you really need for Joint Commission requirements, and you have to sign off that you are willing to assume those risks because the vendor will not meet the requirements."
Over the past year, Penn Health negotiated five new contracts with imaging vendors that included new cybersecurity documentation. The researchers sought to report on the specific areas where the vendors had issues, the length of time for vendors to return documentation, the number of rounds of contract revisions of the cybersecurity language, the number of vendors with cyber insurance, and the number of vendors that were unwilling to meet their requirements.
The institution's chief information security officer created cybersecurity language and distributed it to the IT teams for use in contracting. The cybersecurity provisions had 19 different sections, including the following:
- User security
- System security
- Physical access control
- Data security
- Secure erasure of hard disk capabilities
- Data center requirements
- Access to internal network
- Criminal background checks
- Disclosure of security breach
- Cyber insurance
- Rights to data documents and computer software
- Server timekeeping
- Internal IT policies
- Business associate agreement (BAA) terms
Each of the sections also had several subsections. The cybersecurity language was added to five new vendor contracts that were being negotiated by the medical image management team: one radiology PACS vendor, one ophthalmology PACS vendor, one vendor-neutral archive (VNA) vendor, one radiation dose management software vendor, and one imaging device vendor.
During 2015-2016, a Word document was attached to the contract and emailed to vendors with "track changes" enabled in the document. In 2017, Penn State Health began using the Modulo Risk Manager, which allows vendors and organizations to have access to this electronic tool to answer questions and provide clarifications, Petscavage-Thomas said. Areas of contention are rated as high, moderate, or low risk. The business owner must then acknowledge these risks to proceed with the contract.
All versions of the contract were saved, including redlines, comments, and other edits. The researchers then retrospectively reviewed the versions to determine what sections were completely redlined by the vendors and the reasoning for the redline. They also assessed what sections were edited and why, and noted which vendors confirmed they already held cyber insurance. In addition, the group determined the length of time to work through this new contracting language by recording the timeline for sending and receiving edits.
The group found that an average of 6.75 sections were completely redlined out by the vendor (range, 3-9). The most common redlined sections were the following:
- Cloud security
- Insurance requirement
- Wireless/mobile device security
- User security
- System security
- Right to data documents and computer software
- Data security
"Some of these made sense," she said. For example, cloud security or wireless/mobile device security may have been crossed out if those areas were not part of the vendor's platform.
Some vendors crossed out the insurance requirement if they didn't have cyber insurance. Petscavage-Thomas said that a lot of the vendors also did not want to agree to the data security requirement for annual third-party auditing of compliance with regulatory data protection methods. In addition, some vendors did not have the ability to provide all of the requirements for a system security audit.
"And a lot of vendors were not willing to allow vulnerability scanning [of their products]," she said.
The vendors edited an average of four additional sections (range, 3-6). The most commonly edited sections included auditing, encryption, cloud and mobile device security, and remote access (via the SecureLink remote access software).
"Initially most of our vendors wanted to maintain a business VPN," Petscavage-Thomas said. "One [of our vendors] even said, 'Well, if you are going to make us use SecureLink [for remote access] we are going to increase the cost of your contract, because this [will require extra] resources for us.' "
Three of the five vendors had cyber insurance and were willing to assume the risk if there was a data breach. More recently, the institution negotiated an additional contract with a vendor -- its sixth within two years -- and it refused to provide insurance and payment if there was a leak, she said.
Ultimately, three vendors were unwilling to acquiesce with all of the security requirements, and a designated individual -- one department chair and two department administrators -- was asked to sign off on these contracts because it was believed the software was worth the risk and responsibility. All issues were considered to be moderate to low risk, she said.
The mean turnaround time for the initial vendor review of the cybersecurity language was 2.1 months (range, 2 weeks to 4 months).
"The main reason is that a different legal department within the companies was required to read the cyber documentation compared with the normal contract," she said.
On average, two more rounds of revisions were required, lasting an additional four weeks.
"Thus, the total contracting time with these vendors was increased on average by [3.1] months, with a range of one to six months," Petscavage-Thomas said.
Based on their experience, Petscavage-Thomas recommends that language be placed in the request for proposal (RFP) to help filter out vendors that are ill-prepared to meet cybersecurity requirements.
"Then you can always smooth things out [later] and expedite the process," she said.
She also recommends reviewing existing contracts and working with vendors to add on cybersecurity requirements.
"Those [contracts] are still at risk," Petscavage-Thomas said. "If you don't have that [cybersecurity] language in an addendum to your contract and there's a breach, you're the one who's going to be paying for all of that notification [to patients]."
Copyright © 2017 AuntMinnie.com