Skip to main content
Medical technology description doctor using connected devices
  • Service

Healthcare Technology Cybersecurity

UL Solutions’ full suite of cybersecurity services is designed to help healthcare organizations manage their cybersecurity risks and validate their cybersecurity capabilities to the marketplace.

Cybersecurity in healthcare technology (healthtech)

The integration of advanced information technologies in medical devices has transformed the healthcare industry, resulting in dramatic improvements in the efficiency and effectiveness of healthcare and related services. But this integration has fostered the emergence of a new set of challenges for patients, healthcare providers and device developers and manufacturers. Today, the healthcare industry is a significant target for hackers and cybercriminals, potentially compromising private and confidential healthcare data and placing the safety and health of patients at risk.

UL Solutions offers guidance to manufacturers of medical devices and health and wellness products to help them navigate complex regulatory environments and meet critical patient needs. This is especially important for medical device cybersecurity because rapid innovation and regulatory changes are happening simultaneously. UL Solutions’ suite of cybersecurity services is designed to help healthcare organizations manage their cybersecurity risks and validate their cybersecurity capabilities in the marketplace.

Overview of Medical Device and Health IT Joint Security Plan

The Healthcare and Public Health Sector Coordinating Council (HSCC) cybersecurity working group, with the U.S. Food and Drug Administration (FDA) participation, developed the Medical Device and Health IT Joint Security Plan (JSP – Medical Device and Health IT Joint Security Plan version 2 (JSP2) – Health Sector Council), a total product life cycle reference guide.

The JSP2 is developed with the active participation of stakeholders from across the healthcare ecosystem. This includes representatives from both the public and private sectors, such as medical device manufacturers, healthcare IT vendors, healthcare providers and federal agencies. Contributors include regulators and industry groups, like the FDA, and other medical device manufacturers.

The principles outlined in the JSP2 are reflected in UL Solutions’ Medical Cybersecurity Assurance Program (CAP), which includes:

  • Lifecycle approach: The JSP2 and CAP both emphasize the importance of managing cybersecurity throughout the entire product lifecycle, maintaining continuous security from development to deployment.
  • Security integration: The JSP2 and CAP both advocate for integrating security into the design and development processes, promoting secure-by-design principles to demonstrate robust protection from the outset.
  • Collaboration and communication: The JSP2's focus on stakeholder collaboration aligns with CAP's approach of involving various parties in the cybersecurity assurance process, fostering transparent communication and cooperative efforts.
  • Key cybersecurity concepts:
    a. Total product lifecycle: Developing, deploying, and supporting cyber-secure technology solutions within the healthcare environment.
    b. Design control: Building medical technology with adherence to cybersecurity standards and rigorous testing protocols.
    c. Risk management: Continuously assessing and responding to cybersecurity issues and events throughout the life cycle of medical technology.

These principles and concepts align the JSP2, an industry best practices document, with the requirements of ANSI/UL 2900-2-1, the Standard for Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems. This standard is an FDA-recognized consensus standard and has been adopted as a referenced consensus standard under several global regulatory schemes.

Aligning cybersecurity principles to key life cycle phases

The JSP2 integrates "secure-by-design" and "secure-by-default" principles throughout the total product life cycle of medical devices. By aligning these cybersecurity principles with key life cycle phases (as listed below), manufacturers can confirm that security is embedded at every stage.

1. Concept and planning
  • Security risk evaluation: This is a preliminary evaluation to identify any security threats and risks that might affect the device.
  • Regulatory/Standard compliance: This establishes a product’s security requirements in accordance with standards and regulations.
2. Design and development
  • Elicit design input requirements for security: Confirm that the product architecture considers secure design principles when making decisions.
  • Threat modeling: Perform threat modeling to understand and identify the device’s attack surface and design vulnerabilities.
  • Software requirements/secure coding standards: Define robust software requirements in accordance with secure coding standards to safeguard patient data and device functionality from vulnerabilities and other cyber risks.
3. Verification and validation
  • Security verification: Conduct rigorous testing to verify that security controls are implemented correctly and effectively.
  • Penetration testing: Perform penetration testing to identify exploitable vulnerabilities.
  • Secure configuration: Confirm the device is configured securely by default, with minimal attack surfaces.
  • Security testing and validation: Implement security testing, including static source code analysis, to validate the product's security features.
  • Software evaluation: Exploring all avenues of software vulnerabilities is an advanced penetration testing technique for fully evaluating the device's cybersecurity.
4. Deployment and implementation
  • Secure deployment: Implement secure deployment practices, such as access controls, to protect devices in clinical environments.
5. Maintenance
  • Incident response: Develop and implement an incident response plan to address and mitigate security breaches promptly.
  • Vulnerability management: Regularly update and patch devices to address known vulnerabilities and improve security posture.
  • Patch management: Stay informed about emerging threats and vulnerabilities to update security measures proactively.
  • End-of-support/end-of-life/decommissioning: Implement procedures for securely decommissioning and disposing of devices at the end of their life cycle to prevent data breaches and unauthorized access.
  • Continuous improvement: Establish a feedback mechanism to collect insights from users and all other stakeholders and continuously improve security practices.

Medical device cybersecurity with UL Solutions

Healthtech cybersecurity breaches are on the rise. Hackers and cybercriminals compromise confidential data and infiltrate medical devices. UL Solutions offers a full suite of services for medical device cybersecurity.

UL Solutions healthtech cybersecurity services at a glance

We will help you address your cybersecurity, data privacy and interoperability risks. Our services include:

Personnel competency training

  • Medical device cybersecurity
  • UL 2900 series of standards
  • IEC 81001-5-1
  • Medical device interoperability (AAMI UL 2800)
  • Custom medical cybersecurity training
  • Global cybersecurity regulatory landscape
  • Medical device security testing

Market access/regulatory support

  • Medical cybersecurity regulatory research
  • Cybersecurity strategic planning
  • Medical interoperability

Knowledge and guidance support

  • Guidance on standards, frameworks and requirements
    • ISO 13485 – For security in quality management systems (QMS)
    • ISO 14971 – For security in risk management
    • IEC 62304 – For security in software development lifecycle (SDLC)
    • IEC 82304
    • AAMI TIR 57 – Principles for medical device security - risk management
    • IEC 81001-5-1 – Security for activities in the product life cycle
    • UL 2900-2-1, the Standard for Software Cybersecurity for Network-Connectable Products, Network Connectable Components of Healthcare and Wellness Systems
    • AAMI SW 96
    • AAMI SW 97
    • AAMI TIR 34971
  • Tailored cybersecurity knowledge support for addressing security through QMS, risk management (RM) and SDLC processes (knowledge contracts)

Laboratory services

  • Security testing
    • Generation of software bill of materials (SBOM)
    • Known malware testing
    • Malformed input testing
    • Structured penetration testing
    • Custom testing
    • Vulnerability scanning (including SBOM)
  • Gap assessment
    • UL 2900-2-1
    • IEC 81001-5-1
    • Manufacturer Disclosure Statement for Medical Device Security (MDS2)
  • Certification
    • UL 2900-2-1
    • IEC 81001-5-1
    • Data Acceptance Test Lab (DATL)
    • Firm registration (organizational process certifications to ISO 13485, ISO 14971 and IEC 62304/UL 2900-2-1)
  • Surveillance support
    • Vulnerability management support
    • UL 2900
    • IEC 81001-5-1
    • Performance management
    • Security capability maturity assessment and continuous improvement planning
Download our resource
Testing

Testing Medical Connectable Devices to Cybersecurity Standards Fact Sheet

3.65MB
Healthcare

Healthcare Cybersecurity Solutions (English Quick Sheet)

527.79KB

Testing to healthtech cybersecurity standards for a variety of connectable devices

Our testing and certification services apply to, but are not limited to, the following types of connectable devices:

  • Medical devices and accessories
  • Medical device data systems
  • In vitro diagnostic (IVD) medical devices and accessories
  • Health IT devices
  • Wellness devices
  • Software as a medical device (SaMD), such as mobile applications, web applications, cloud solutions, etc.

Why UL Solutions for cybersecurity services in the healthcare industry?

UL Solutions has extensive expertise in cybersecurity, with a global network of IoT and operational technology (OT) security laboratories, and security experts and advisors with specialized expertise in global security standards, frameworks and best practices for the healthcare ecosystem. We help healthcare organizations to:

  • Define where they are in their cybersecurity maturity
  • Understand what they will need to do to develop more secure devices
  • Manage digital identity of people and products
  • Improve internal cybersecurity capabilities and processes
  • Validate security built into their products throughout their life cycle
  • Communicate security features to differentiate products in the marketplace
X

Get connected with our sales team

Thanks for your interest in our products and services. Let's collect some information so we can connect you with the right person.

Please wait…