UL Wades into Cybersecurity of Connected Medical Devices
Posted 08 November 2018 | By
Safety science firm UL is honing in on the cybersecurity of connected medical devices, suggesting a two-pronged approach that spans across the total product life cycles of devices and the healthcare ecosystem.
UL began wading into healthcare as it increasingly became a prime target for cyber attacks in recent years, Anura Fernando, UL chief innovation architect of medical systems interoperability and security, told Focus
. Factors that drove its decision to join the movement around medical device cybersecurity include growing healthcare costs partly due to an aging population and clinician shortages hindering hospitals’ ability to keep pace with technological developments.
Standards on Cybersecurity
A new consensus standard developed by UL recently received official US Food and Drug Administration (FDA) recognition as the first recognized standard that specifically targets testing and certification for the cybersecurity of connected medical devices.
UL’s 2900-2-1 was developed in collaboration with the American National Standards Institute (ANSI) per the request of the US Office of Personnel Management (OPM), said Fernando, who also serves as a member of the US Department of Health and Human Services’ Health Care Industry Cybersecurity Task Force. UL received directions from OPM to look at the standards landscape, get to the root cause of unintended consequences, such as data privacy breaches, and then develop standards that would address any gaps it found during its analysis.
Known as, ANSI/UL 2900-2-1—Standard for Safety Software Cybersecurity for Network-Connectable Products Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, the standard received official FDA recognition via modifications
to the agency’s list of recognized voluntary consensus standards for medical devices set forth in June.
Adoption of recognized consensus standards allow for greater consistency across multiple regulatory jurisdictions for cybersecurity risk management frameworks.
Further, FDA requires manufacturers to include data on mitigation measures as part of premarket submissions for devices that present a cyber risk—as reinforced in draft guidance issued
last month to update 2014 premarket cybersecurity policies. ANSI UL 2900-2-1 can enable this type of data collection for premarket submissions, though it is the second of two newly recognized standards developed by UL and ANSI for the cybersecurity of connected medical devices.
The first—ANSI/UL 2900-1: Standard for Safety Standard for Software Cybersecurity Network-Connectable Products Part 1: General Requirements—was recognized by FDA in 2017 and provides a general set of requirements that creates commonalities across multiple critical infrastructure sectors.
From UL’s perspective, the first standard should be applied in conjunction with the second standard as part of a two-pronged approach for the cybersecurity of connected medical devices.
The first step manufacturers should take is to “recognize that hospitals don't just use medical devices,” Fernando argued. Hospitals have all kinds of infrastructure, such as backup generators and elevator controls, and when products from other sectors are not regulated as healthcare products but are integrated with connection points to hospital networks, problems can arise. For example, a person may be able to access elevator controls going in one direction of a hospital network and on that same network also have the ability to access a ventilator.
Thus, the first prong applies to products that are being made for general purposes to satisfy the same baseline of requirements that FDA-regulated medical devices have to meet, Fernando said. The second prong of the approach is to “use a risk-based set of standards that looks at the relative safety and security risk for devices” in terms of their integration into a healthcare network, according to Fernando. Both standards were developed last year, but ANSI/UL 2900-2-1 did not receive FDA recognition until this year due to process delays, he noted.