October 16, 2019
NORTHBROOK, ILLINOIS – Oct. 16, 2019 – The U.S. Department of Veteran Affairs (VA) and UL , a global safety science organization, today announced the completion of a two-year Cooperative Research and Development Agreement (CRADA) Program for medical device cybersecurity. As medical devices are susceptible to cybersecurity attacks, creating both patient safety risks and disclosure risks for protected health information, the VA and UL sought to address an existing gap in the marketplace for cybersecurity standards and practical certification approaches for connected medical devices.
With the Internet of Medical Things (IoMT) revolutionizing patient care, increasing efficiency and improving healthcare quality, the VA aimed to find solutions for securing large-scale IoMT device deployments supporting mission-critical care delivery for roughly nine million patients under its care. Historically, patching and reconfiguring devices to extend service lifetimes has resulted in devices with outdated, vulnerable software, presenting cybersecurity challenges, and in turn, greater patient risk. Between 2016 and 2018, VA and UL used the UL 2900 Series of Standards as a benchmark to identify critical cybersecurity vulnerabilities in connected medical device deployment and lifecycle management as well as create baseline cybersecurity requirements for medical device manufacturers.
"The VA and UL teams drove the exchange of information between public and private sector knowledge and approaches to patient safety and security,” said Anura Fernando, chief innovation architect, Life and Health Sciences, UL. "This collaboration helped us uncover new insights and further accelerate the sharing of medical device cybersecurity information, standards and lifecycle requirements with the intention of benefiting not only the VA hospital system but also the larger U.S. healthcare system of providers and manufacturers.”
As part of the CRADA project, a task group of VA, UL and public sector and private collaborators convened to address healthcare technology challenges by identifying security gaps between in-home and in-facility care, ensuring product functionality for FIPS 140-2 compliance and accelerating the adoption of leading-edge equipment. The team also conducted a simulated “hacking” demonstration at a Veterans Health Administration (VHA) site in Tampa, Fla., using ICU Medical’s Plum 360 Infusion Pump, a UL 2900 certified medical device.
The task group worked closely for two years to test hypotheses and expand their knowledge of medical device cybersecurity. Key CRADA findings include:
- VA’s use of UL 2900 Series of Standards and related product testing and certification can accelerate the adoption of innovative healthcare technologies through improved pre-procurement product vetting and post-procurement product management.
- Testing and certification to UL 2900 provided VA staff greater confidence in the product development process, product security control design evaluation and post-market patch management support being offered by manufacturers.
- Compliance with UL 2900 enhanced endpoint security improved the balance of network security controls with product security controls, providing improved allocation of cybersecurity resources to focus limited resources on priority threats to veterans’ security and safety.
“As the VA is dedicated to the safety and security of veterans, this report is reflective of two years of close collaboration among private and public sector experts in healthcare and cybersecurity,” said Marc Wine, director, Technical Integration Support and Industry Liaison, U.S. Department of Veterans Affairs. “The report findings will help the VA ensure safety for its patient community while also serving as a model for how we can continue to drive innovation within the larger healthcare ecosystem.”
For more information on this CRADA for medical devices cybersecurity standards and certification approaches, read the full report here.
For more information on the UL Cybersecurity Assurance Program and the UL 2900 Series and Standards, visit UL.com/cybersecurity. For product testing, evaluation or certification questions, email ULCyber@ul.com.
About UL
UL helps create a better world by applying science to solve safety, security and sustainability challenges. We empower trust by enabling the safe adoption of innovative new products and technologies. Everyone at UL shares a passion to make the world a safer place. All of our work, from independent research and standards development, to testing and certification, to providing analytical and digital solutions, helps improve global well-being. Businesses, industries, governments, regulatory authorities and the public put their trust in us so they can make smarter decisions. To learn more, visit UL.com.