June 19, 2018
Device submissions to the FDA may now leverage testing and declarations of conformity to UL 2900-2-1 to streamline product review. The announcement follows the FDA's 2017 recognition of UL 2900-1 and provides manufacturers and developers with tools to meet the FDA's evolving expectations for medical device cybersecurity risk mitigation.
To complete the regulatory approval process, most FDA premarket reviews fall under the 510(k) Premarket Notification program. UL 2900-2-1 assists in this process as submissions must include data regarding steps taken to mitigate cybersecurity risks.
The new standard's requirements provide manufacturers and developers a way to improve and demonstrate the safety of network connectable devices and accessories. The test methods and risk assessment requirements in these standards apply to all to medical devices and accessories, medical device data systems, in-vitro diagnostic devices, and health information technology.
Led by UL technical experts, UL 2900-2-1 is the result of a collaborative effort between multiple stakeholders and developed under ANSI's essential requirements. The standard provides industry and regulators with a consistent framework to assess cybersecurity risks in medical products.
UL provides testing and security assessments, including the UL Cybersecurity Assurance (CAP) Certification. Based on UL 2900-2-1, CAP provides a framework to ensure risks from known vulnerabilities and malware have been addressed through structured penetration testing, evaluation of product source code, and analysis of software bill of materials (SBOM). The program also assists manufacturers with managing compliance throughout the product lifecycle to meet FDA's post-market cybersecurity expectations.