Using Standards to Bolster Medical Device CybersecurityAnura Fernando of UL Describes Results of Recent Study With the VA
The use of new standards can help strengthen cybersecurity risk management of medical devices at the Department of Veterans Affairs as well as other healthcare organizations, says Anura Fernando of UL, which recently completed a study with the VA examining gaps in medical device cybersecurity approaches.
The Cooperative Research and Development Agreement Report involving the VA and UL - the safety certification and consulting firm formerly known as Underwriters Laboratories - also examined practical certification approaches for connected medical devices.
The CRADA report examined medical device cybersecurity in the context of the VA, which delivers care to about 9 million veterans annually and has an installed base of 55,000 connected medical devices. But the report also provides lessons that could help the healthcare sector tackle challenges involving medical device cybersecurity, Fernando says in an interview with Information Security Media Group.
"The VA, as well as anyone else, needs to keep up with technology changes, as well as the infrastructure to support those technologies," Fernando says.
"What we learned through the course of the CRADA study is that there are new standards, such as UL 2900, that can be used to support the acquisition of medical devices and can be used to balance the relationship between the medical device vendor and the medical device purchaser's role in contributing to the overall security of the system," he says. "We've heard from a variety of stakeholders, including the Food and Drug Administration, that security is a shared responsibility."
The CRADA study, he says, "investigated the kinds of capabilities and limitations that can be disclosed about a medical device that's being purchased by an organization like the VA - based on testing, documentation, labeling and disclosures - that can help the purchaser to better integrate that system into their enterprise infrastructure."
Role of Standards
The UL 2900 Series of cybersecurity standards, which were published in 2016, can help create a baseline of cybersecurity hygiene, he points out.
"Users of those standards can make claims about minimum levels of security and declare they have certain encryption, authentication, authorization, patch management and decommissioning methods that span the whole lifecycle of the product," he says.
"When manufacturers can present those kinds of arguments, it's important to build a trust model around those claims. The UL 2900 provides test-based evidence that shows the cybersecurity posture of the product."
In the interview (see audio link below photo), Fernando also discusses:
- Top cybersecurity challenges for medical devices;
- The importance of healthcare sector cybersecurity information sharing as it relates to medical devices;
- Other findings from the CRADA study.
Fernando is chief innovation architect of medical systems interoperability and security at UL. He served on the Department of Health and Human Services' cybersecurity task force and was a member of several other federal advisory panels, including the FDA's Safety and Innovation Act working group and the FDA's Medical Device Interoperability Coordinating Council.