When the Department of Veterans Affairs and the Food and Drug Administration wanted to add cyber rigor to medical devices they turned to a familiar name.
VA and the FDA worked with the Underwriter’s Laboratory (UL) to develop new standards and practical certification approaches for connected medical devices. UL is the same organization that makes sure Christmas lights, toaster ovens or many other electronics are safe and meet specific industry standards.
Through a cooperative research and development agreement, the three organizations demonstrated that the use of the UL 2900 Series of standards, related product testing and certification gave the VA greater confidence and assurance of the medical devices. The report, released last fall, detailed the findings and conclusions from the joint effort.
Paul Tibbits, VA’s executive director in the Office of Technical Integration, said the two-year initiative is part of the agency’s effort to ensure device manufacturers are doing more to “bake security” into their products.
“We wanted to raise the bar, if you will, on the expectations associated with medical devices and what we would expect manufacturers to comply with from a cybersecurity standpoint to help evolve and mature the overall cyber state of those devices,” said Gary Stevens, VA’s deputy chief information security officer, on Ask the CIO. “It’s the trust, integrity and consistency of the data exchange. It’s the precision of the information. It has to be valid. It has to be accurate. It has to be timely.”
Stevens said the use of connected medical devices is expanding rapidly with telehealth and telemedicine that the security environment must adapt more quickly. The medical device market is growing, by some estimates, at a 25% annual rate and could be worth more than $60 billion by 2023.
“These types of initiatives as well as aligning to common standards is all the more important so we can ensure the medical devices and the cybersecurity that gets overlaid on top of those is designed to facilitate the trust, integrity and consistency of the information,” he said. “This is a massive market and the devices are of varying complexities, size and scale. I think the scenario as it played out was how do you really tackle this problem and make something of sense and run it around a common standard?”
Criteria for manufacturers
As a result of this effort, Tibbits said UL will better align their 2900 standards to those from the National Institute of Standards and Technology and other organizations to further ensure industry is doing all it can to protect medical devices.
“Another benefit of this as a result of UL undertaking to do that with their own standards, they also are members of standard setting bodies like ANSI so through their membership they can actually further propagate those standards across industry,” he said. “VA, as a result of this, became a voting member of the UL standards setting body. From here on out, we can continue this ongoing collaboration so as federal policy evolves and as we learn more about cybersecurity, that can be reflected future modifications to those same standards.”
Additionally, Tibbits said UL developed criteria for manufacturers to meet to earn the certification. These include weakness and vulnerability scanning, evaluation of product source code, dynamic software testing and more.
“We view the endeavor as completely successful given the scope of what we intended to do. Ultimately what the impact on industry will be and if this will move industry in this direction and how quickly, remains to be seen,” Tibbits said.
Stevens added adopting standards is one important step, but not the only one that manufacturers and users have to take around pre-procurement, monitoring and implementation.
One of the conclusions from the report is the use of the UL standards improved how VA managed the risk of these devices.
“VA risk assessment processes that meet UL 2900-2-1 requirements can facilitate more directed and effective communication between VA’s contracting, biomedical engineering, IT and information security officers,” the report states. “This, in turn, helps ensure that minimum cybersecurity standards for medical devices are met. Utilization of the UL 2900 Series of Standards can reduce variation in compliance across VA’s 172 medical centers, allowing providers to more consistently meet specific healthcare needs in the field. In cases where local VA providers require variation, this could be explicitly understood, authorized and auditable, thereby improving supply chain efficiency.”
The research and report was the first step of a long process to get medical device manufacturers to adopt the UL standards.
So in the meantime, Stevens said VA is working with manufacturers to better understand how they are addressing cybersecurity as well as working with the FDA and the Department of Homeland Security.
In fact, the FDA and the Cybersecurity and Infrastructure Security Agency at DHS have been working together since 2018 when they signed a memorandum of understanding.
The Department of Health and Human Services and other agencies also work with the Health Information Sharing and Analysis Center to share information about vulnerabilities and connect the government and industry.
Internally, Stevens said VA is establishing processes to review device cybersecurity and how it interacts within the agency’s network.
“We are maturing the way we are able to manage the devices in our network. How we are able to get more relevant information, insight and visibility into the ongoing status of those particular devices,” he said. “It was a massive amount of work to make sure those medical devices were, in essence, segmented off from the network so those devices could do specifically what they were designed to do without any possible interactions with other network devices in the environment so we didn’t compromise them in any way. That also allowed us to ensure those devices could be singled out, monitored and managed in a much better way.”