The U.S. Department of Veterans Affairs (VA) and UL, a global safety science organization, announce the completion of a two-year Cooperative Research and Development Agreement (CRADA) Program for medical device cybersecurity. As medical devices are susceptible to cybersecurity attacks, creating both patient safety risks and disclosure risks for protected health information, the VA and UL sought to address an existing gap in the marketplace for cybersecurity standards and practical certification approaches for connected medical devices.

With the Internet of Medical Things (IoMT) revolutionizing patient care, increasing efficiency and improving healthcare quality, the VA aimed to find solutions for securing large-scale IoMT device deployments supporting mission-critical care delivery for roughly 9 million patients under its care. Historically, patching and reconfiguring devices to extend service lifetimes has resulted in devices with outdated, vulnerable software, presenting cybersecurity challenges, and in turn, greater patient risk.

Between 2016 and 2018, VA and UL used the UL 2900 Series of Standards as a benchmark to identify critical cybersecurity vulnerabilities in connected medical device deployment and lifecycle management as well as create baseline cybersecurity requirements for medical device manufacturers.

“The VA and UL teams drove the exchange of information between public and private sector knowledge and approaches to patient safety and security,” says Anura Fernando, chief innovation architect, life and health sciences, UL. “This collaboration helped us uncover new insights and further accelerate the sharing of medical device cybersecurity information, standards and lifecycle requirements with the intention of benefitting not only the VA hospital system but also the larger U.S. healthcare system of providers and manufacturers.”

As part of the CRADA project, a task group of VA, UL, and public sector and private collaborators convened to address healthcare technology challenges by identifying security gaps between in-home and in-facility care, ensuring product functionality for FIPS 140-2 compliance and accelerating the adoption of leading-edge equipment. The team also conducted a simulated “hacking” demonstration at a Veterans Health Administration (VHA) site in Tampa, Fla., using ICU Medical’s Plum 360 Infusion Pump, a UL 2900 certified medical device.

The task group worked closely for two years to test hypotheses and expand their knowledge of medical device cybersecurity. Key CRADA findings include:

  • VA’s use of UL 2900 Series of Standards and related product testing and certification can accelerate the adoption of innovative healthcare technologies through improved pre-procurement product vetting and post-procurement product management.
  • Testing and certification to UL 2900 provided VA staff greater confidence in the product development process, product security control design evaluation and post-market patch management support being offered by manufacturers.
  • Compliance with UL 2900 enhanced endpoint security improved the balance of network security controls with product security controls, providing improved allocation of cybersecurity resources to focus limited resources on priority threats to veterans’ security and safety.

“As the VA is dedicated to the safety and security of veterans, this report is reflective of two years of close collaboration among private and public sector experts in healthcare and cybersecurity,” says Marc Wine, director, technical integration support and industry liaison, U.S. Department of Veterans Affairs. “The report findings will help the VA ensure safety for its patient community while also serving as a model for how we can continue to drive innovation within the larger healthcare ecosystem.”