Industry is facing increasing risk of both unintentional and malignant cyber threats, and an increasing sense of responsibility to protect against those factors. Cyber threats continue to be a high priority for medical technology companies, but there are continued questions on how and where to introduce security measures.
Now, UL says the process should be fairly painless and can be integrated into procedures that medtech companies are already following. UL has launched the Cybersecurity Assurance Program (CAP) to help companies prepare as cyber attacks become more sophisticated, harder to protect against, and more costly.
“Security has been part of UL’s focus as a key component of safety for decades,” says Anura Fernando, principal engineer for UL. The development of CAP was a response to government identifying a need to a critical focus on the infrastructure for healthcare and industrial controls.
“We designed the program to address fundamental problems associated with cyber threats and provide an easy solution of procedures and tests to help increase risk controls.”
Designed in collaboration with The White House, the U.S. Dept. of Homeland Security (DHS) and other industry partners, UL CAP helps assure all devices are secure and meet the latest security standards.
UL cyber experts will help manufacturers, purchasers, and end users identify security risks in their products and systems through the use of UL’s new 2900 series of standards. The program provides methods for mitigating cyber attack risks through the development and maintenance of products with a security focus.
“Our main goal was to make the system seamless for manufacturers. We’ve intentionally gathered input to ensure the process is less burdensome than for some defense systems,” says Fernando. He says the program is designed to work along with risk management practices that manufacturers have to complete to satisfy regulatory requirements. “Cybersecurity should be thought of as part of the normal risk management process,” he says.
Manufacturers do have to consider that there will be changes. For example, many risks are introduced in the post-market environment; therefore companies have to consider patch management as part of the process. “The products on the market today are integrated with other devices, which adds complexity to risk management” Fernando says. However, he also notes that this risk is not solely the burden of the manufacturer: “The whole supply chain has responsibility.”
The UL system “spans the process from initial design to integration into a healthcare system,” including how to handle identification data for patient protection, says Fernando. Some of the ideas UL addresses in its protocols include:
- Ensuring passwords aren’t hard-coded into the device.
- Introducing encryption where necessary and possible.
- Language subsetting and programming constructs to avoid.
Essentially, UL’s CAP “is intended to raise the baseline of security.” The key idea, says Fernando, is that medical device manufacturers should introduce cyber security by design.