top of page
  • Writer's pictureShannon Lantzy

“Is this product secure enough?” is the wrong question

Updated: Feb 9

The answer is always "it depends." The better question is: "Is this company managing product security well?"

If I am a hospital system buying a new connected medical device or software system, I need to know that the product I'm buying isn't going to take down hospital operations. Unfortunately, there is no way of knowing the answer to that question and there is no contract lawyer who would allow such a claim to exist.

Instead, answerable, contract-ready questions are:

  • "How does the vendor commit to maintaining the product's security?"

  • "How much work must I, as a hospital operator, need to do to maintain it?"

  • "How many HHS performance goals does this vendor achieve?"

These are product quality management questions. They can be verified and checked after purchase and can have binding contractual penalties if not met.

If you're reading this and you're up in arms about security designs that have to be built in from the beginning, and therefore can't be solved by procurement; I hear you. Security by design is necessary. But technical design cannot be addressed by procurement (other than saying "no buy"). Yes, there are plenty of one-time checks to do on a product (e.g., MFA, hardcoded passwords, antivirus, encryption, secure firmware updates). For a list, check one of the eleventybajillion frameworks available for free. As a procurement officer at a hospital system, however, I'd want to delegate those checks to a trusted third party (like FDA), and instead focus on what I can control (i.e., contractual commitments).

I hope to see hospital procurement take a strong position and procurement platform vendors enable this strong position with built-in software diligence features.

(If you ask product security leaders, they secretly hope their customers take a strong, clear-viewed position as well. It'll make life easier and better for everyone to do the right thing if both vendor and purchaser use diligence tools to the best of their ability.)

~Shannon, the Optimistic Optimizer


Recent Posts

See All

Accelerating AI adoption requires RegTech Innovation

To achieve the promise but avoid the perils of the healthcare AI revolution, we need to accelerate RegTech innovation As technology advances in medicine, so too must regulatory processes and tools. AI


bottom of page