USA – UL Wades into Cybersecurity of Connected Medical Devices

Safety science firm UL is honing in on the cybersecurity of connected medical devices, suggesting a two-pronged approach that spans across the total product life cycles of devices and the healthcare ecosystem.

UL began wading into healthcare as it increasingly became a prime target for cyber attacks in recent years, Anura Fernando, UL chief innovation architect of medical systems interoperability and security, told Focus. Factors that drove its decision to join the movement around medical device cybersecurity include growing healthcare costs partly due to an aging population and clinician shortages hindering hospitals’ ability to keep pace with technological developments.

Standards on Cybersecurity 

A new consensus standard developed by UL recently received official US Food and Drug Administration (FDA) recognition as the first recognized standard that specifically targets testing and certification for the cybersecurity of connected medical devices.

UL’s 2900-2-1 was developed in collaboration with the American National Standards Institute (ANSI) per the request of the US Office of Personnel Management (OPM), said Fernando, who also serves as a member of the US Department of Health and Human Services’ Health Care Industry Cybersecurity Task Force. UL received directions from OPM to look at the standards landscape, get to the root cause of unintended consequences, such as data privacy breaches, and then develop standards that would address any gaps it found during its analysis.

Known as, ANSI/UL 2900-2-1—Standard for Safety Software Cybersecurity for Network-Connectable Products Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, the standard received official FDA recognition via modifications to the agency’s list of recognized voluntary consensus standards for medical devices set forth in June…