VA Works With UL to Ensure Cyber Safety of Connected Devices
The US Department of Veteran Affairs (VA) recently completed a two-year Cooperative Research and Development Agreement (CRADA) for medical device cybersecurity with UL, a science safety organization that has cybersecurity standards and conformity assessment programs.Between 2016 and 2018, the VA used the UL 2900 Series of Standards as a benchmark to identify critical cybersecurity vulnerabilities in connected medical device deployment and lifecycle management, as well as to create baseline cybersecurity requirements for device manufacturers.
Anura Fernando, chief innovation architect of medical systems interoperability and security at UL, explained to Focus that the VA saw an increasing number of cyberattacks and needed to implement a continuous improvement plan. The CRADA “wasn’t in response to any one thing, but as part of a way to see how these new standards can help,” Fernando said.
According to a final report on the CRADA, the UL cybersecurity standards offered the VA a way to protect its sensitive data through greater reliance on product-level security controls, while minimizing the amount of data requiring sensitive status designation and maintaining confidentiality of personally identifiable information and protected health information.
Moving forward, Fernando pointed to the recent guidance from the International Medical Device Regulators Forum on cybersecurity as a good start to steer the direction of the conversation. “But when we look at a more granular level of the principles, then you have to go to the standards and specifications,” he said. “It’s great to have these aspirational policies but we need standardization to keep policies implemented.”
Meanwhile, the US Food and Drug Administration (FDA) recently said it would go back and revise draft guidance on premarket submissions for managing cybersecurity after pushback from stakeholders.
Fernando also said there’s a “huge disparity in the capabilities across device manufacturers” in terms of how they disclose security-related information so system administrators and the US Food and Drug Administration (FDA) can react. There are a lot of different types of manufacturers and hospital capabilities, he noted, adding that “big-name hospitals have strong teams using tough products, but others can barely manage risk, let alone have focused areas dedicated to cybersecurity.”
And although Fernando said that, “There have been no specific patients targeted by hackers” yet, but when events like “WannaCry” occur, patients are put “at risk from multiple points of view,” and may not have access to certain parts of their records or may have to be transferred from one hospital to another because of the cyber threats.