The Medical Device Software Cybersecurity Standard

The world is growing more and more connected. In the field of medicine, this creates opportunities for better serving patients and achieving optimal health outcomes. However, it also creates risk: Improper data management can make patient data available to potentially malicious third parties, and it can lead to inaccurate data, which gives patients and their care providers inaccurate and potentially harmful misinformation. Tackling these potential downsides requires comprehensive regulation. For medical devices, network-connectable healthcare systems, and associated health IT system, the most important standard is UL 2900-2-1, and a range of other devices fall under the broader UL 2900-1 standard. Here are some of the ways UL 2900-2-1 and UL 2900-1 aim to help protect patients and medical entities.

Scope

While UL 2900 coverage is broad, UL 2900-2-1 is more specific. Medical and wellness devices are covered, as are accessories to medical devices. Medical devices are typically devices that have potential health implications for users, and this classification covers items ranging from relatively safe, such as dental floss, to essential for life, such as pacemakers and heart valves. Wellness devices, by contrast, simply promote a healthy lifestyle and include exercise equipment and fitness trackers. The standard also covers in-vitro diagnostic devices.

In addition, the standard covers medical device data systems, which connect to covered medical devices or are otherwise used in conjunction with them. These systems hold patient health information and might be used to convert information to other formats or standards. Hardware devices that display information are included in coverage as well.

Software is also covered under various parts of the standard. All software components related to medical device operation are covered, regardless of whether they are local or remote. Health information technology is covered, as is telemedicine in some use cases.

Is Better Cybersecurity Necessary?

Cybersecurity, in general, has improved over the years. However, bad actors have better tools than ever before. The intersection of cybersecurity and medical devices has been the source of concerning events in the past due to lax cybersecurity practices. In 2017, the FDA issued an alert that a pacemaker in use by more than 400,000 people could be access by unauthorized actors using easy-to-access devices. This occurred ten years after then-Vice President Dick Cheney had remote access to his pacemaker disabled to prevent potential assassination attempts.

Progress is often slow as well. Even though cybersecurity issues relating to various Medtronic implantable devices have been documented since 2013, recalls for some of their devices were still being issued as late as October of 2021. Small mistakes can cascade into larger problems, and encouraging better upfront security can help mitigate potentially disastrous outcomes.

Security Controls

At the core of effective cybersecurity management is security controls. Information must be accessible but only to those with the correct permissions. UL 2900-2-1 provides guidance on implementing systems that only allow appropriate parties to access patient information. In addition, the standard focuses on ensuring data is stored securely so that access control cannot be bypassed, and it requires implementing appropriate incidence response management to mitigate damage if information is accessed improperly.

Risk Assessment

At the core of UL 2900, along with UL 2900-2-1, is risk assessment. One of the challenges of cybersecurity regulation is the ever-changing nature of the threats faced. Those creating standards cannot simply enumerate a series of potential threats and require those seeking approval to check certain boxes. Instead, they must encourage a more proactive approach where those seeking approval must make a thorough assessment of the risks they’re likely to face based on current threats and threats that might come in the future.

Vulnerability Testing

While UL 2900-2-1 aims to provide guidance on developing secure systems, real-world experience has shown that even seemingly well-implemented systems might still have security holes. The UL 2900-1 standard, for example, requires testing for known vulnerabilities and system performance against malware. It also discusses more in-depth testing, such as sending malformed inputs to devices to see how they respond and analyzing software both in the form of source code and in the form of compiled binaries or bytecode. Penetration testing is included as well in an effort to close potential risk vectors as much as possible.

Is UL 2900-2-1 Required?

Meeting the UL 2900-2-1 isn’t strictly required to gain FDA approval, however, it is considered as a “consensus standard.” The standard can be used by device manufacturers to streamline approval for FDA clearance. Manufacturers can provide testing and declarations of conformity to decrease the time it takes for their device to hit the market. UL also offers security assessments and testing, including certification that can ease the process of approval.

Benefits to All Parties

Gaining regulatory approval for a new device is essential to ensure safety, but the process can sometimes become burdensome, making the cost of bringing a new product to market too high for would-be inventors and manufacturers. Regardless of how much regulation is optimal for device approval, having a transparent and comprehendible process eases unnecessary friction that doesn’t improve safety. Having a consensus standard provides a regulatory framework that, hopefully, optimizes both patient safety and privacy and a clear path from product development to use.

The standard also provides assurance to both medical care providers and their patients that devices meet rigorous cybersecurity standards. This trust alone can improve patient outcomes. If security leaks are common, patients and their care providers might be distrustful of new technologies even if they have clear advantages over older types of treatments. By ensuring high levels of security, regulators can help ensure that effective technologies reach the healthcare field in a timely manner.

Advances in technology have enabled methods of treatment and convenience previously inconceivable, and future advances in medical devices will continue to create new opportunities. However, effective cybersecurity is key to assuring patient health and privacy. Although cybersecurity standards for medical devices and related products will need to continue evolving over time, the UL 2900-2-1 standard should prove to be a useful cornerstone of ensuring the best results possible.