USA – CRADA report from UL and US VA: Procurement as driver of medical device cybersecurity

A new report issued by the US Department of Veterans Affairs and UL suggests that along with regulation, procurement policies at healthcare purchasing organizations will play an increasingly significant role in driving medical device cybersecurity risk management efforts.

The recent Cooperative Research and Development Agreement (CRADA) report examines cybersecurity risks posed by connected medical devices, and how device manufacturers and healthcare providers can better collaborate to effectively manage these risks.

The report takes into account various moving parts in the complex issue of managing cybersecurity risk within the Internet of Medical Things (IoMT), including the potential for healthcare providers and systems to establish more rigorous cyber standards and requirements as part of their connected medical device procurement processes. While device manufacturers and software developers prepare for compliance to evolving cybersecurity-related regulations from US FDA and other market regulators, pressure from healthcare delivery organizations (HDOs) and general purchasing organizations (GPOs) to demonstrate proper cybersecurity risk mitigation measures and controls will also increase for these companies.

VA oversees a healthcare network serving nine million patients in the US, and entered into the CRADA with UL in order to identify methods for more effective lifecycle management of connected devices while minimizing cyber risks and vulnerabilities…