As the healthcare ecosystem becomes increasingly interconnected and reliant on computing and communication technologies, it has become important to understand why and how these systems face attacks, what kinds of data require privacy and what kinds of data can lead to potential patient safety concerns.
In 2015, after a significant cybersecurity breach in the United States (U.S.) Office of Personnel Management, a number of U.S. government agencies began to explore why these attacks could still happen. The U.S. Department of Homeland Security collaborated with UL Solutions and other industry partners to develop a cybersecurity assurance program to test and certify networked devices within the Internet of Things (IoT), so that when U.S. consumers buy a new connected product, whether it is a refrigerator or medical infusion pump, they can have confidence that it is certified to meet security standards. Various government agencies, including the Food and Drug Administration (FDA), National Institute of Standards of Technology (NIST), and the Department of Justice, provided input into a core set of cybersecurity requirements, including the NIST Framework for Improving Critical Infrastructure. Healthcare and wellness devices and systems are included in this critical infrastructure.
UL Solutions created the UL Cybersecurity Assurance Program (UL CAP) to support manufacturers, end-users and system installers and integrators in promoting good cybersecurity hygiene in building, installing and maintaining products and systems. Based on the UL 2900 Series of Standards, which includes UL 2900-1, the Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, published in July 2017, and UL 2900-2-1, the Standard for Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, published in September 2017, UL CAP helps organizations understand how to manage their cybersecurity risks and demonstrate their cybersecurity capabilities to the marketplace.
UL 2900 Series of Standards
The UL 2900 Standards are used to provide objective evidence that software weaknesses and vulnerabilities have been appropriately dispositioned and further confirmed via penetration testing, and that this management continues throughout the life cycle. Compliance with the UL 2900 Standard establishes that manufacturers have characterized and documented the technologies that could constitute an attack surface used in their products. It requires threat modeling based on intended use and relative exposure. Compliance demonstrates the effective implementation of security controls protecting both sensitive data, such as personally identifiable information (PII), protected health information (PHI), and other assets, such as keys or command and control data. UL 2900 promotes the use of defensive design (for example, defense-in-depth, partitioning, etc.) and helps enhance system robustness — for example, through testing techniques like fuzz testing/malformed input testing.
UL 2900 covers procedures including:
- Monitoring for security events
- Logging security events
- Managing security logs
- Updating software to address safety, essential performance and security issues
- Handling failures in the software update process, e.g., rollback
- Component purchasing controls to minimize supply chain attack surface
- Pre- and post-market management of sensitive data
- Remote product management
- Decommissioning, e.g., purging of PII/PHI when the product is discarded or resold
Complementary standards for total product life cycle support
Several standards work together to support the security of medical devices throughout their full life cycle:
- UL 2900-1 addresses the testing of security attributes and controls.
- UL 2900-2-1 addresses the integration of safety and security.
- IEC 81001-5-1 covers the management software development risks (which, in the context of UL 2900, can help organizations identify the types of risk and challenges a manufacturer’s product introduces to the customer when integrated into their environment, and how to support customers during setup).
- AAMI TIR 57 addresses the management of product security risks and is informatively referenced in UL 2900-2-1.
- ISO 13485 helps the manufacturer minimize specific systematic product defects.
- Quality management system (QMS) drives risk management to the ISO 14971 standard, which can be tailored for security using standards such as AAMI TIR 57.
Various connectivity standards also factor into the total life cycle support of medical devices, including:
- Interoperability standards, such as Health Level 7 (HL7), Fast Healthcare Interoperability Resources (FHIR), Digital Imaging and Communications in Medicine (DICOM), Open Integrated Clinical Environment (ICE)
- Connectivity technology security, such as Secure Sockets Layer (SSL), Secure Shell (SSH), Secure/Multipurpose Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP)
- Communication capabilities, such as Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), Remote Procedure Call (RPC), Internet Protocol Security (IPSec), Point to Point Tunneling Protocol (PPTP), Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocol (L2TP)
- Transport layer standards, such as Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Protocol (IP), Network Time Protocol (NTP), Distributed Data Processing (DDP) and Recursive Internet Network Architecture (RINA).
- Physical implementation, such as Ethernet, Wi-Fi, Bluetooth® and Zigbee.
- Concept of operations
- Requirements and architecture
- Detailed design
- Integration, test and verification
- System verification and validation
- Operation and maintenance
Who can use the UL 2900 family of Standards
Manufacturers can use UL 2900 for designing products, self-assessment, continuous improvement and full life cycle controls, and various organizational functions within the manufacturer’s organization may get involved with these efforts and use UL 2900:
- Research and development (R&D) – UL 2900 analysis and testing can provide early feedback about security process and product gaps to help mature the cybersecurity posture even during early phases of R&D.
- Product management – Product managers can use UL 2900 to build a checklist of issues that need to be addressed to establish an acceptable baseline of security.
- Regulatory affairs – UL 2900 is an FDA-recognized consensus standard to which the International Medical Device Regulators Forum (IMDRF) also refers; UL 2900 can factor into manufacturers’ global regulatory submissions.
- Quality – UL 2900 integrates security into manufacturers’ QMS.
- Software development – UL 2900 provides specific security targets for addressing weaknesses and vulnerabilities.
- Product security – UL 2900 can help set product security expectations across the manufacturer’s organization.
Healthcare delivery organizations (HDOs) can use the UL 2900 Standard as part of their procurement process, for asset management through looking at certificates, and for integration risk management, as they look at how to connect a device into their broader network and determine what manufacturers and developers need to consider when putting it into their environment. The UL 2900 Standard can be used by certifiers (such as UL Solutions) to do repeatable, reproducible testing, and to issue third-party product certification and recertification.
Regulators can also use UL 2900. For instance, the U.S. FDA has recognized UL 2900 as a consensus standard to establish safety and effectiveness. Regulators also use UL 2900 to improve throughput; for example, there are discussions about getting UL 2900 into the Accreditation Scheme for Conformity Assessment (ASCA), which is a relatively new mechanism used to work with third parties to accept certifications. UL 2900 is also used to establish clear and testable requirements. We work with regulators around the world to help educate them on how to use these standards.
Local and global regulatory bodies referring to UL 2900
There are global organizations — such as the International Medical Device Regulators Forum (IMDRF) and its member states Australia, Brazil, Canada, China, European Union, Japan, Russia, Singapore, South Korea, United Kingdom (U.K.), and the U.S. — that have collaborated to establish cybersecurity management guidance. IMDRF’s latest guidance document also references UL 2900, an indicator of the Standard’s value to many countries around the world. In addition to UL 2900 being referenced in this international context, many countries – including Australia, Canada, China, France, the U.S. and Vietnam — have referenced UL 2900 in their local or regional guidance documents.
UL Cybersecurity Assurance Program (UL CAP) certification services
Certification of a product, component, device or system is based on standardized, testable criteria to assess and benchmark software vulnerabilities and weaknesses that can impact cybersecurity hygiene.
This certification provides independent assessment/evaluation of an organization’s cybersecurity due diligence to end customers and other stakeholders according to the UL 2900 Series of Standards.
It includes an organizational assessment and the following tests:
- Penetration testing
- Security control verification and validation
- Robustness testing/fuzz testing
- Static source code analysis
- Static binary/bytecode analysis
- Known vulnerability and malware testing
UL Solutions offers these tests not only as part of certification so manufacturers can bring a product to market, but also during R&D, development activities or post-market.
UL 2900-2-1 evaluation process
The UL 2900-2-1 evaluation process can be implemented flexibly depending on how and when an organization is engaging with UL Solutions. We can help manufacturers understand at early development stages how the UL 2900 Standard can be applied to their product.
- Phase 1, documentation and process assessment, includes quality management system (QMS), risk management (RM) and software development life cycle (SDLC) process review, and product document review.
- Phase 2, Office of Security Management, includes static source code analysis, static binary and byte code analysis, and malware testing. The full product does not need to be completely developed in order for manufacturers to engage with UL Solutions for this phase of evaluation.
- Phase 3, product testing, includes confirmation of security controls, structured penetration testing, and malformed input testing (fuzz testing).
UL Solutions’ unique penetration testing methodology for UL 2900 is structured as follows:
- We start with the threat model, which establishes critical components and their potential exploitability for risk management.
- Then, in static binary and byte code analysis, we identify software bill of materials (SBOM) Common Platform Enumeration (CPE) components, identify weaknesses and determine whether existing weaknesses have sufficient controls around them to prevent their being exploited.
- In static source code analysis, we identify Common Weakness Enumeration (CWE) that may be exploited to become common vulnerabilities and exposures (CVEs).
- In known malware analysis, we identify malware that may be targeting specific CVEs or CWEs.
- Malformed input testing (fuzzing) identifies triggers for anomalous system behaviors that could be exploited.
Our structured penetration testing methodology derived from the preceding inputs then follows the traditional kill chain model to understand, anticipate, recognize and combat cyberattacks.
UL 2900 certification outputs
Medical device manufacturers receive a public UL 2900 certificate and private report when they complete certification. The public certificate can be accessed by anyone and includes the manufacturer name, product details and other information that can help healthcare delivery organizations integrate into their system; the public certificate includes the National Vulnerability Database (NVD) and UL Product iQ® database versions.
The threat landscape and cybersecurity posture of a device, system or application continually change as new attack vectors and vulnerabilities are identified and disclosed, and customers develop new features and modify others. We strongly encourage recertification to demonstrate continued cybersecurity compliance to the market and regulatory bodies. If a product undergoes major changes, UL Solutions can perform delta analysis and determine which testing sections need to be repeated in order for the customer to maintain the certificate. The private report includes information that should be made public, including product details; attack surface, threat model and vulnerability details; and information about cybersecurity compliance, arguments and evidence.
Why choose UL Solutions and UL Cybersecurity Assurance Program?
Manufacturers often contact UL Solutions for assistance with resolving issues cited by the FDA when they receive an Additional Information request or Refuse to Accept notice for their medical device. Two commonly cited reasons are insufficient cybersecurity documentation and/or missing or insufficient cybersecurity test data. This can lead to more work, delays in launching products in the marketplace, and increased costs.
UL 2900-2-1 aligns with FDA cybersecurity requirements, and we leverage our deep expertise to support customers in navigating compliance requirements. While customers may use other consensus standards to generate the documentation and test data required by the FDA, UL certification through the UL Cybersecurity Assurance Program helps customers efficiently navigate the FDA acceptance process.