Medical Device Cybersecurity Q&A

In the UL Cybersecurity Assurance Program (CAP), we evaluate both the processes and the product across the full product life cycle. We use standards such as IEC 81001-5-1, for instance, when the focus is on the process. If the focus is more on the product and product testing, we can use UL 2900-2-1, the Standard for Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems. That standard relies on some of the test procedures that are established in UL 2900-1. We can also look at the various specific risk management activities. When we look at the processes, we first determine whether the product is properly characterized and whether the interface is identified. We also look at how the risk management process maps to that product, which is a core tenet of a number of these standards, including, UL 2900, IEC 81001-5-1 and AAMI TIR57.

In the concept of operations, when you begin thinking about the hazards and risks of the system and the initial technologies you may use to create your solution, that's when you want to start risk management activities and early threat modeling. ISO 14971 lays out the general risk management process. IRS Publication 1345 deals with how policies and procedures drive those activities. These types of activities then feed into conformity assessment when we use various standards to generate UL CAP certificates.

We then look at how that early thinking drives the architecture and the requirements at the system level that grow into the detailed design and specific development activities that help ensure security, such as selecting the right security controls. We determine whether there’s integration testing and confirmation of those security controls, whether they're working to prevent safety controls from being compromised by the introduction of security controls, and vice versa. We evaluate the overall system — the full product, not just the components — to evaluate whether its normal operational states can be achieved and whether, under certain threat actions, those functions are still intact with no denial of service.

We perform verification on maintenance as well. We determine whether there are working processes for product patches and updates and what the processes and security controls are around them. Finally, in decommissioning, UL 2900 goes into zeroization and determines whether sensitive data is properly deleted when the product is disposed of.

The benefit is that assessment to multinational and internationally recognized standards is done domestically. Several of these standards, including UL 2900, are referenced globally in documents such as the International Medical Device Regulators Forum (IMDRF). They are also recognized by the U.S. Food and Drug Administration as consensus standards. Assessment helps to demonstrate compliance and navigate the regulatory process. Many end-users also look for this level of compliance and risk management for procurement risk assessments.

To clarify, this doesn’t need to be multiple assessments. Many of these standards are referenced within one another. For instance, UL 2900 references IEC 62304, AAMI TIR57, ISO 14971, IRS Publication 1345 and IEC 81001. So when a UL 2900 evaluation is performed for medical devices, all of those standards are factored in, and all the pieces fit with each other. The Human-Technology-Organization (HTO) approach to information technology (IT) risk management feeds into the risk management process that happens under the quality management system (QMS) and then drives the software development life cycle (SDLC) activities. These are tested based on threat models. All of these activities are covered by those standards and can be captured with a single certification. There is no need to complete several individual certifications to achieve this.

Yes, UL Solutions has a global presence with locations in 80+ countries, and we provide local language support. Even if testing has to be done in a different region because of laboratory capabilities for the particular testing you need, we strive to deliver local support in your language as much as possible.

Many medical device manufacturers know that people are going to continue to use your product even after you can no longer support it, so you should have the legal mechanisms in place to disconnect yourself from it if your user decides to continue to use your product even after you cannot support it. For instance, if a hospital continues to use a product after you no longer support it, medical device manufacturers should very clearly communicate the nature of the lack of support and the risks involved in continued use. In a framework of shared responsibility, the hospital then needs to establish an in-depth layer of protection and an approach to security control to effectively protect patients’ safety after choosing to continue to use that technology.

There are several possible aims of an attack on a medical device, including the following:

• The attacker may specifically target the medical device either to gain access to information contained in the device or to interfere with the device’s operation. 
• An attacker may be creating general-purpose malware for data harvesting to achieve other purposes, such as creating a botnet, sending spam or mining bitcoins.
• The attacker may wish to exploit assets via other vulnerable connected devices or through the network that the device is connected to, such as PII or insurance information. In this case, the attacker would use the device as an entry point to access the network or other computing equipment.

Regulators expect device manufacturers to:

• Integrate cybersecurity into quality management systems (QMS) per ISO 13485, risk management systems (RMS) per ANSI/AAMI/ISO 14971 and AAMI TIR57/92, and  SDLC   processes per ISO 62304.
• Use cybersecurity guidance documents — e.g., U.S. Food and Drug Administration (FDA), Healthcare, Australian Therapeutic Goods Administration (TGA), European Commission Medical Device Cybersecurity Guide (MDCG) — and standards, such as UL 2900, as best practices to define, integrate and address regulatory requirements for cybersecurity processes and products.
• Verify the effectiveness of security controls through cybersecurity testing, including vulnerability scanning, fuzz testing, penetration testing, source code analysis and malware testing.
• Compile documentation for regulators, e.g., for FDA 510(k) submission, demonstrating your device’s cybersecurity.

A range of job functions can use the UL 2900 Series of Standards. For example:

• Regulators use UL 2900 to determine whether a product can be considered safe and effective for legal market clearance, improve throughput, and establish clear and testable requirements.
• Manufacturers can use it to inform their product design inputs and processes, self-assessment and continuous improvement activities, as well as to help reduce cybersecurity risks.
• Certifiers can use UL 2900 to perform conformity assessments and gap analyses and generate objective evidence of compliance with cybersecurity requirements.
• Health delivery organizations (HDOs), such as hospitals and coordinated groups of physician practices, can use UL 2900 for procurement, asset management and integration risk management.

Insurance companies can use UL 2900 to calculate cyber-risk insurance to mitigate product liability and cyber-risk loss, which may be impacted favorably by compliance with standards.

Manufacturers would like to have one set of regulatory and commercial cybersecurity requirements rather than dozens of guidance documents and standards. Manufacturers would also like to have the means to demonstrate conformity with such requirements to help streamline market access and procurement processes. UL 2900 helps address these challenges by offering transparent and testable cybersecurity criteria. UL 2900 can be used across industries to repeatably and reproducibly measure the cybersecurity posture of products. The standard addresses the basic cyber hygiene of products with technical criteria based on existing industry best practices and guidance documents. The standard uses a flexible approach applying risk management framework. UL 2900 has gained wide acceptance by involving various industry stakeholders, such as manufacturers and certifiers, during Standard development.

The Data Acceptance Testing Laboratory (DATL) program enables a customer to extend the capabilities of their existing cybersecurity laboratories to conduct testing with the intention of certification to the UL 2900 Series of Standards.

An appropriate laboratory environment, laboratory processes, test methods, competent personnel, approved equipment and tools, and appropriate consumables qualify a DATL to perform verification, evaluation and testing. UL Solutions determines eligibility through ongoing technical and quality assessments of the customer’s practices and policies.

DATL helps customers meet their cybersecurity goals by driving best practices through product development. The validation of the customer’s laboratory means that their practices and policies are confirmed by UL Solutions, a trusted, independent third party. This can help customers increase their return on investment (ROI), extend their existing laboratory capabilities from internal specifications to address the compliance needs of product divisions, differentiate and demonstrate leadership in a competitive market, reduce their products’ time to market, enhance their cybersecurity posture, and promote cybersecurity thought leadership.

The threat landscape and cybersecurity posture of your devices, systems and applications continually change as manufacturers develop new features, modify existing ones, and identify and disclose new attack vectors and vulnerabilities. We strongly recommend recertification to demonstrate ongoing cybersecurity readiness to the market and regulatory bodies.

When there are major changes to your product, UL Solutions can perform delta analysis and determine which tests need to be repeated to maintain the certification.

No, UL 2900-2-1 is not mandatory for FDA 510(k) submissions.

UL 2900-2-1 was written to address FDA cybersecurity expectations, the Standard closely aligns with the FDA’s cybersecurity guidance, and it is an FDA-recognized consensus standard for cybersecurity. This means that all documentation review and testing performed as part of UL 2900-2-1 certification can be used for premarket submissions. However, the FDA is the final approving authority for all FDA 510(k) submissions and, therefore, reviews all submissions and data.

As a trusted, independent third-party provider, UL Solutions leverages our deep industry knowledge and technical expertise in the full cybersecurity life cycle to offer comprehensive advisory, testing and certification services that help organizations manage cybersecurity risks and validate cybersecurity capabilities to the marketplace. Based on  UL 2900 and other industry standards, UL CAP supports manufacturers, end-users, and system installers and integrators in promoting cybersecurity, privacy and safety.

Industry stakeholders frequently engage UL Solutions for assistance in resolving issues after receiving an Additional Information request or Refuse to Accept notice from the FDA. Two common issues are insufficient cybersecurity documentation and missing or insufficient cybersecurity test data. These issues result in additional work, delays in launching products in the marketplace and greater financial investments.

UL 2900-2-1 aligns with FDA cybersecurity expectations, and our global team of security analysts has long-standing expertise in supporting customers in navigating these expectations. Although it is possible to use other consensus standards to generate the documentation and test data required by the FDA, using UL 2900-2-1 offers a more efficient process that can lead to UL Solutions certification and help streamline FDA acceptance.