Skip to main content
Welcome to the cutting edge of safety science—Learn more about our rebrand.
  • Feature Story

FDA Recognizes UL 2900-1 Cybersecurity Standard for Medical Devices

September 12, 2017

A baby in a neonatal intensive care unit depends on a heart monitor for her survival. In an emergency room, a diabetic is quickly connected to an insulin pump to bring down his blood sugar levels. In nearly every hospital across the country, patient medical records are now online. But while healthcare providers are busy treating these patients, another kind of virus looms the halls of hospitals around the world.

Malicious programming codes, such as ransomware spread by viruses and worms, and cyberattacks targeted at medical devices and IT networks, cause considerable disruption to hospital systems and healthcare companies. In fact, the average cost of a health care breach is estimated to be more than $2.2 million. When a cyberattack occurs, not only does it threaten the security of confidential patient medical records, but it can also endanger the safety of patients as well as the reputation of hospitals and device manufacturers.

“In the case of healthcare infrastructure, when data is compromised, people’s lives can be at stake. Hospitals contain thousands of medical devices that could potentially be vulnerable to real-time attacks, increasing the need to prepare and respond to the latest threat-mitigation efforts,” says Anura Fernando, principal engineer for UL’s Medical Systems Interoperability and Security business.

As Internet of Things (IoT) technologies increasingly move into healthcare, assessing interconnected systems and their software vulnerabilities and weaknesses before an attack occurs is critical. Healthcare regulators, such as the Food and Drug Administration (FDA), are working to keep pace with these fast-evolving technologies.

Related , Cybersecurity of Medical Devices and UL 2900

One way the FDA is staying ahead of IoT cybersecurity is through its recent guidance to manufacturers. In 2016, the FDA issued guidance that set forth basic security recommendations, including multifactor authentication, user access limits, strengthened passwords, layered authorization and breach detection procedures.

The FDA has officially recognized The UL Standard, now published in the US Federal Register:  UL 2900-1 Ed. 1 2017, Standard for Software Cybersecurity Network-Connectable Products, Part I: General Requirements.

The Standard covers evaluations and tests of network-connectable devices as it relates to vulnerabilities, malware and software weaknesses. Medical device manufacturers can demonstrate that they meet FDA guidance through compliance with the specified UL Standard.

In tandem with the FDA’s recognition, the American National Standards Institute (ANSI) has adopted UL 2900-1 as a national consensus Standard.

UL 2900-1 was conceived and developed in alignment with current FDA pre- and post-market cybersecurity guidance, as well as the ANSI canvass guidelines.

“We have had a true partnership with a cross-section of stakeholders from the very beginning,” says Fernando. “We invited producers, consumers, regulators, academia and a variety of other industry experts to participate in our Standards development process and made sure to model the Standard around FDA guidance as well. At the end of the day, we did not create something in isolation; it is a truly collaborative set of documents that strongly reflect the current regulatory thinking and submission process.”

“This is significant because it gives manufacturers a lot more confidence. Right now, medical device manufacturers must go through the FDA process to enter the market legally. When you complement that process with a very clear set of requirements, as we’ve developed in UL 2900, there’s a higher probability of a manufacturer’s medical device receiving clearance on the first pass.”