The U.S. Department of Veterans Affairs (VA) and Underwriters Laboratories (UL) have signed a Cooperative Research and Development Agreement Program (CRADA) for medical devices cybersecurity standards and certification approaches.
The CRADA mechanism was established as part of the Federal Technology Transfer Act of 1986 to encourage the creation of teams to solve technological and industrial problems for the greater benefit of the country. The project will support improvement of veterans patient safety and security through the use and verification of UL’s Cybersecurity Assurance Program (CAP).
As medical devices are susceptible to cybersecurity attacks, creating both patient safety risks and disclosure risks for protected health information, the VA and UL will seek to address an existing gap in the marketplace for cybersecurity standards and practical certification approaches for connected medical devices.Historically, the ability to patch and reconfigure devices as well as very long service lifetimes results in devices with old, vulnerable software and present challenges in the defense against cybersecurity attacks of medical devices.
Working with UL, the VA’s Office of Information & Technology will refine existing and emerging standards and practices related to network connectable medical devices, medical device data systems and related health information technology. Both parties expect the project to accelerate the sharing of medical device cybersecurity information, standards and lifecycle requirements towards creating a safety certification framework for veterans.
“Working together with the VA, we will contribute to industry-wide situational awareness of both medical device vulnerabilities and threats,” Anura Fernando, UL principal engineer for medical software and systems interoperability, said in a press statement. “We believe that this project will positively impact the direction that manufacturers take in improving the overall security posture of medical cyber assets.”
This agreement was reached soon after UL announced its new Cybersecurity Assurance Program (CAP) in April. CAP uses the new UL 2900 series of standards to offer testable cybersecurity criteria for network-connectable products and systems to assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls and increase security awareness.
The CAP program was established with input from major stakeholders representing government, academia and industry to help vendors identify security risks in their products and systems, and suggest methods for mitigating those risks in a wide range of applications, including industrial control systems, medical devices, automotive, HVAC, lighting, smart home, appliances, alarm systems, fire systems, building automation, smart meters, network equipment and consumer electronics.
The CAP specifically addresses the U.S. White House Cybersecurity National Action Plan (CNAP), designed to enhance cybersecurity capabilities within the U.S. government and across the country. UL’s CAP services and software security efforts were recognized within the CNAP as a way to test and certify network-connectable devices used in the Internet of Things supply chain and ecosystems by critical infrastructures, such as energy, utilities and healthcare.
This CRADA project will be completed in December of this year.
