Terms and Conditions for CIS MDBR Services for Hospitals


  The following terms and conditions set forth the responsibilities and terms for applicable to the provision of MDBR-H Services (as defined herein) by Center for Internet Security, Inc. (CIS) to Entity.

1.  Definitions 

Entity-any of the following U.S. based health care facilities that are not operated by a federal, state, local, tribal or territorial government entity:

            a. independent hospitals;

            b.  multi-hospital systems;

            c. hospital-based integrated health systems, meaning an organization, consisting of one or more hospitals plus at least one or more group of physicians, that provides a continuum of care and that are connected to each other through joint ownership or joint management;

            d. post-acute patient care facilities; and

            e. psychiatric, rehabilitation or other specialty hospitals.

Entities with multiple facilities may receive MDBR-H Services for each facility (each an “Entity Facility”), subject to the terms set forth herein.

MDBR-H Provider-Akamai Technologies, whose Enterprise Threat Protector (ETP) service will be incorporated into the MDBR-H Services through license with CIS.

MDBR-H Services Proactive blocking of network traffic to known harmful web domains through the use of MDBR Provider’s domain name system (DNS) server with DNS lookup for known malicious domains.  MDBR-H Services will log and block attempts by Entity’s network to access known malicious domains. CIS will provide regular reporting to Entity to include information for all blocked requests and will assist Entity in restoring a blocked domain that Entity identifies as a legitimate domain to which it needs access.

2.  Consideration

CIS is providing MDBR-H Services at no charge to Entity and its Entity Facilities, to the extent applicable. CIS may pursue available funding sources to support providing MDBR-H Services to Entities, and may utilize such funding to provide MDBR-H Services to Entity during the Term of this Agreement if such funds become available.

Additional MDBR-H services may be added during the Term of this Agreement; such additional services may be subject to further terms to be agreed to by Entity.

3.  Responsibilities of the Parties

a.         Responsibilities of Entity

i.  An Entity that seeks to have multiple Entity Facilities receive MDBR-H Services must provide CIS with a list of all Entity Facilities to be included and an applicable point of contact for each Entity Facility. 

ii.  Entity and each Entity Facility, as applicable, agrees that it will configure its network to enable the MDBR Provider’s DNS service to be used by their network and shall maintain that configuration while receiving MDBR-H Services.

iii.  Entity agrees that it will provide contact information for appropriate points of contact, including a technical point of contact, and will promptly notify CIS in the event that such point of contact information changes.  For Entities with multiple Entity Facilities, the above contact information shall be provided for each Entity Facility, as applicable.

b.         Responsibilities of CIS

i.  CIS will enable an account with the MDBR-H Provider to enable Entity and each Entity Facility, as applicable, to receive MDBR-H Services.

ii. CIS will receive reporting and associated data provided through the MDBR-H Services and shall provide Entity or Entity Facility with regular reporting on blocked requests and analysis, including remediation recommendations as appropriate.

4.  Information Sharing

The Entity and each Entity Facility shall own all right, title and interest in its data that is provided to the MDBR-H Provider and CIS as part of the MDBR-H Services.  Entity and each Entity Facility, as applicable, acknowledges and agrees that DNS request information generated by the Entity/Entity Facility will be shared with the MDBR-H Provider and CIS for the purpose of allowing CIS to perform the MDBR-H Services. The information provided to CIS as part of the MDBR-H Services may also be shared by CIS with third parties in an anonymized fashion that does not identify Entity or Entity Facility for cyber security and cyber threat intelligence purposes only.

5.   Term/Termination

These terms shall take effect as of the date these terms are accepted by Entity (the “Effective Date”), and shall continue in full force and effect for a period ending on December 31, 2022 (the “Term”), unless otherwise earlier terminated by either party or is extended by agreement of the parties. Either Party may terminate the MDBR-H Services at any time during the Term by providing ten (10) days’ prior written notice to the other Party.

6.   No Third Party Rights

Nothing in this Agreement shall create or give to third parties any claim or right of action of any nature against Entity or CIS.

7.    Disclaimer

CIS provides the MDBR-H Services on an AS IS basis, and without any warranties or guarantees, either express or implied, and CIS does not assume any responsibility or liability for the accuracy of the information provided as part of the MDBR-H Services or pursuant to these terms, or for any act or omission or other performance related to the MDBR-H Services, including any act or omission by MDBR-H Provider or other contractors or subcontractors of CIS.  CIS shall not be liable for any loss or damages whatsoever, including, without limitation, loss of use, data or profits or physical damage or harm or other, whether arising under any statute, law, regulation, directive, commercial use or otherwise, resulting from, arising out of or in connection with the provision or use of MDBR-H Services.

8.  Indemnification

Entity shall defend, indemnify and hold CIS, its officer, directors and contractors (“CIS Parties”), harmless against any loss, damages or costs (including reasonable attorneys’ fees) incurred in connection with claims, demands, suits or proceedings (“Claims”) made or brought against any CIS Party by a third party alleging any harm or loss related to Entity’s use of the MDBR-H Services, provided that CIS (a) gives Entity prompt written notice of any such Claim, (b) gives Entity sole control of the defense and settlement of the claim (provided that Entity may not settle or defend a Claim unless it unconditionally releases CIS Parties of all liability); and (c) provides Entity with all reasonable assistance.