January 21, 2020
Connected medical devices are revolutionizing patient care in the 21st Century, helping to improve the quality of healthcare services and increasing operational efficiencies. But, as with most connected devices today, cybersecurity risks are a growing concern, with potentially significant consequences for the health and safety of patients.
Fortunately, a major healthcare delivery organization (HDO) in the U.S. has taken a proactive approach to strengthen its cybersecurity practices related to medical devices that may well provide a roadmap for other institutions.
The U.S. Department of Veterans Affairs (VA) and UL completed a two-year study into the VA’s standards and protocols for assessing medical device cybersecurity. The study revealed that the VA’s own practices related to the procurement of medical devices could be advanced by adopting new industry standards as the baseline requirement for assessing the cybersecurity of medical devices.
“The cybersecurity threat landscape is continually changing,” noted Anura Fernando, chief innovation architect at UL’s Life and Health Sciences group. “We expect that our partnership with the healthcare and cybersecurity specialists at the VA will help pave the way to a more flexible and dynamic approach in ensuring medical device cybersecurity throughout the VA hospital system and beyond.”
The healthcare system managed by the VA is one of the largest in the U.S., with more than 160 hospitals and healthcare facilities around the country serving more than nine million military veterans. Procurement considerations for the cybersecurity of connected medical devices are detailed in VA Directive 6550, “Pre-Procurement Assessment and Implementation of Medical Devices/Systems.”
But verification of compliance with the requirements of the VA Directive largely depends on attestations submitted by vendors in connection with a VA request for proposals (RFPs). These attestations are then reviewed by VA biomedical engineering professionals, who must collect or prepare extensive additional information, including an enterprise risk analysis (ERA), validate compliance with the requirements of the Directive.
Given the shortage of qualified cybersecurity professionals, the VA wanted to explore alternative approaches to the way in which it conducted device assessments. And, given the potential vulnerability of legacy devices over time, the VA also sought an approach that would support the assessment of cybersecurity issues throughout the entire lifecycle of a given device.
Under the terms of a Cooperative Research and Development Agreement (CRADA), the VA partnered with UL in 2016 to study whether adopting the UL 2900 series of cybersecurity standards as a condition of procurement could help address these concerns. The study included an evaluation of the VA’s current threat landscape and a thorough review of the VA’s current practices related to the cybersecurity of medical devices.
The study also involved a detailed comparison between the VA’s existing cybersecurity requirements for medical devices and the requirements of the UL 2900 series. That comparison found equivalence between the two requirement sets across 174 separate factors. Finally, the study included a simulated “hacking” demonstration of a UL 2900 certified medical device at a VA hospital in Tampa, Florida to validate the effectiveness of the secure design principles promoted by the UL 2900 standards.
According to both the VA and UL, the study concluded that applying UL 2900 could provide an alternative pathway to significantly speed the pre-procurement product assessment process as well as improve post-procurement cybersecurity performance. The study also determined that compliance with UL 2900 would help improve the allocation of cybersecurity resources, allowing VA cybersecurity professionals to focus more attention on new technology adoption and emerging threats to safety and security.
“The report (on our study) reflects the two years of close collaboration among private and public sector experts in healthcare and cybersecurity,” said Marc Wine, director, Technical Integration Support and Industry Liaison with the VA. “The report findings will serve as a model for how we can continue to drive innovation within our larger healthcare ecosystem.”
Want to learn more? Read the complete text of the final report of the UL/VA CRADA on medical device cybersecurity.