
Managing and validating capabilities through cyber security assurance
The Medical Cybersecurity Assurance Program (CAP) establishes standardized, testable criteria to assess software vulnerabilities and weaknesses in connected products and systems. These assessments help reduce the likelihood of exploitation, address known malware, enhance security controls and increase security awareness.
Medical CAP provides trusted third-party expertise to evaluate the security of network-connectable products and systems developed in-house or by a vendor. The program enables manufacturers to stay ahead of emerging threats while continuing to innovate.
Based on the UL 2900 series of standards, Medical CAP supports organizations in managing cybersecurity risks and demonstrating compliance to security standards.
Medical CAP's cybersecurity services
Certification
Medical CAP certifications are conducted through well-defined processes aligned with organizational quality standards such as ISO/IEC 17065:2012, Conformity assessment - Requirements for bodies verifying products, processes and services. The certifications demonstrate conformance to nationally and internationally recognized cybersecurity standards that are trusted by regulators, purchasers, customs officials and other key stakeholders involved in bringing healthcare technologies to market.
- IEC 81001-5-1, Health software and health IT systems safety, effectiveness and security, Part 5-1: Security – Activities in the product life cycle
- UL 2900-2-1, the Standard for Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems
- IEC 62443-4-1, Security for industrial automation and control systems, Part 4-1: Secure product development lifecycle requirements
Verification
Your product requirement specifications define what your product is intended to do, including how it resists cybersecurity threats that could put systems like hospitals at risk. Verifying that these requirements align with industry standards and include appropriate security controls is essential to achieving cyber resiliency before, during and after a cyberattack. UL Solutions offers independent third-party reviews of product specifications and security architecture, an approach long trusted in safety-critical software domains to help you strengthen security and reduce risk.
Testing
UL Solutions provides cybersecurity testing services in line with globally recognized standards, including ISO/IEC 17025, Testing and calibration in laboratories. We support industry frameworks such as Federal Information Processing Standards (FIPS) and Common Criteria (CC). Whether you're seeking early-stage insights to support research and development or require formal testing for regulatory procurement needs, we offer flexible testing options tailored to your goals.
Our testing services include:
- Static and dynamic application security testing (SAST/DAST)
- Penetration testing using realistic attack scenarios based on threat actor behavior
- Source code analysis, binary/bytecode review and software composition analysis
- Scanning for known vulnerabilities, open ports and services
- Malformed input testing and known malware detection
Auditing and inspection
Audits and inspections can help build more robust development and manufacturing processes to support the safety and security of new technologies. UL Solutions offers audit-based process certifications, third-party attestations and inspection services that align with industry-recognized frameworks. These services help organizations stay ahead of regulatory expectations and establish a strong foundation for cybersecurity risk management.
Examples of some of the frameworks we work within:
- AAMI TIR57: 2016, Principles for medical device security - Risk management
- ANSI/AAMI/UL 2800-1:2019, the Standard for Medical Device Interoperability
- AAMI CR34971:2022, AAMI consensus report - Guidance on the application of ISO 14971 to artificial intelligence and machine learning
Software
Software plays a central role in today's medical technologies, including embedded firmware, software as a medical device (SaMD) and complex systems with software-defined functions. With supply chain attacks and zero-day vulnerabilities as leading threat vectors, proactive software security has never been more critical. UL Solutions helps you assess your product's software architecture, identify potential weaknesses and implement security best practices across the full development life cycle.
Our software-focused services include:
- Software Bill of Materials (SBOM) generation – Visibility into third-party components to reduce supply chain risk
- Weakness analysis – Identification of vulnerabilities early in development
- Secure life cycle support – Guidance on maintaining cybersecurity from design to decommission
Data insight
Understanding and responding to real-world cybersecurity incidents requires the ability to make sense of complex data, including event logs and test reports. Whether your product has been compromised in the field or you're seeking to prevent future breaches, UL Solutions helps organizations turn data into actionable insights. Our engineers work with your team to analyze vulnerabilities, identify attack vectors and develop meaningful security metrics to guide product improvement over time.
Our data-driven services include:
- Vulnerability management – Identify, track and prioritize issues based on real-world impact
- Sensitive data management – Strengthen controls around high-risk data types
- Test result analysis – Interpret findings to refine controls and support incident response
Advisory
Making a product secure by design starts long before development begins. UL Solutions offers advisory services that support you from the earliest stages of product ideation, helping you assess technologies, reduce attack surfaces and avoid regulatory pitfalls. Our team provides expert input on failure modes, architecture choices and threat modeling to support robust cybersecurity from concept to retirement.
Our early-stage and life cycle advisory services include:
- Treat modeling – Identify potential threats and define mitigations early
- Secure by design – Embed security into your architecture from the ground up
- Cyber regulatory guidance – Navigate complex requirements with clarity and confidence
Learning and development
Keeping pace with evolving cybersecurity demands requires a workforce that's continually learning. UL Solutions can help your organization build internal cybersecurity competencies through tailored training programs and ongoing professional development. Whether you need to upskill current staff, onboard new team members or meet quality management system (QMS) requirements, we provide practical training grounded in real-world applications across the medical device industry and beyond.
Our training and capability-building support includes:
- Custom training programs – Targeted content based on your products, team and goals
- Securing programmable electrical medical systems (PEMS) – Expert-led training specific to PEMS devices
- Cross-industry insights – Learn how others are successfully managing similar technology risks
Field evaluation
UL Solutions offers flexible field evaluation services to meet your logistical or operational needs, including on-site testing, remote observation or assistance setting up your own testing facility. We provide options that accommodate complex product portfolios and hard-to-move equipment. For organizations managing extensive in-house testing, we also offer participation in our Data Acceptance Test Laboratory (DATL) program.
Flexible support where you need it:
- On-site evaluation – Testing conducted within your facility
- Tele-support – Remote witnessing or guidance during your in-house testing
- DATL program – Qualify your laboratories for internal cybersecurity testing
Choosing UL Solutions for your cybersecurity services
Working with an independent, trusted third party can help you:

Increase confidence in product and system security

Protect your brand and mitigate risk

Validate cybersecurity to end customers

Differentiate your products in the marketplace

Demonstrate commitment to cybersecurity safety
The benefits of working with UL Solutions for cybersecurity include:

Full life cycle support

Industry knowledge

Cybersecurity assurance

Cybersecurity and safety
Connect with our team
Thanks for your interest in our products and services. Let's collect some information so we can connect you with the right person.