The U.S. Department of Veteran Affairs (VA) and the global safety science organization Underwriters Laboratories (UL) have signed a Cooperative Research and Development Agreement Program (CRADA) for medical devices cybersecurity standards and certification approaches. As part of the Federal Technology Transfer Act of 1986, the CRADA mechanism creates teams to solve technological and industrial problems.

This CRADA project will support improvement of VA patient safety and security through the use and verification of UL’s Cybersecurity Assurance Program. Working with UL, the VA’s office of information and technology will refine standards and practices related to network-connectable medical devices, medical device data systems, and related health information technology. Both parties expect the project to accelerate the sharing of medical device cybersecurity information, standards, and lifecycle requirements toward creating a safety certification framework for veterans.

As medical devices are susceptible to cybersecurity attacks, creating both patient safety risks and disclosure risks for protected health information, the VA and UL will seek to address an existing gap in the marketplace for cybersecurity standards and practical certification approaches for connected medical devices. Historically, the ability to patch and reconfigure devices, as well as very long service lifetimes. results in devices with old, vulnerable software and present challenges in the defense against cybersecurity attacks of medical devices.

“Working together with the VA, we will contribute to industry-wide situational awareness of both medical device vulnerabilities and threats,” says Anura Fernando, UL’s principal engineer for medical software and systems interoperability. “We believe that this project will positively impact the direction that manufacturers take in improving the overall security posture of medical cyber assets.”

The CRADA project is slated for completion in December.