The U.S. Department of Veteran Affairs (VA) and Underwriters Laboratories (UL), a global safety science organization, announces a signed Cooperative Research and Development Agreement Program (CRADA) for medical devices cybersecurity standards and certification approaches.
This CRADA project will support improvement of veterans’ patient safety and security through the use and verification of UL’s Cybersecurity Assurance Program (CAP). Working with UL, the VA’s Office of Information and Technology will refine existing and emerging standards and practices related to network connectable medical devices, medical device data systems and related health information technology. Both parties expect the project to accelerate the sharing of medical device cybersecurity information, standards and lifecycle requirements towards creating a safety certification framework for veterans.
As medical devices are susceptible to cybersecurity attacks, creating both patient safety risks and disclosure risks for protected health information, the VA and UL will seek to address an existing gap in the marketplace for cybersecurity standards and practical certification approaches for connected medical devices. Historically, the ability to patch and reconfigure devices as well as very long service lifetimes results in devices with old, vulnerable software and present challenges in the defense against cybersecurity attacks of medical devices.
CAP uses the new UL 2900 series of standards to offer testable cybersecurity criteria for network-connectable products and systems to assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls and increase security awareness.
The CAP program was established with input from major stakeholders representing government, academia and industry to help vendors identify security risks in their products and systems, and suggest methods for mitigating those risks in a wide range of applications, including industrial control systems, medical devices, automotive, HVAC, lighting, smart home, appliances, alarm systems, fire systems, building automation, smart meters, network equipment and consumer electronics.
The CAP specifically addresses the U.S. White House Cybersecurity National Action Plan(CNAP), designed to enhance cybersecurity capabilities within the U.S. government and across the country. UL’s CAP services and software security efforts were recognized within the CNAP as a way to test and certify network-connectable devices used in the Internet of Things supply chain and ecosystems by critical infrastructures, such as energy, utilities and healthcare.
This CRADA project will be completed in December of this year.
For more information on the UL Cybersecurity Assurance Program, visit www.ul.com/cybersecurity. For product testing, evaluation or certification questions, email [email protected].