Project outcomes expected to boost medical device cybersecurity used in veterans care as well as U.S. healthcare system
NORTHBROOK, Ill., Oct. 16, 2019 /PRNewswire/ — The U.S. Department of Veteran Affairs (VA) and UL, a global safety science organization, today announced the completion of a two-year Cooperative Research and Development Agreement (CRADA) Program for medical device cybersecurity. As medical devices are susceptible to cybersecurity attacks, creating both patient safety risks and disclosure risks for protected health information, the VA and UL sought to address an existing gap in the marketplace for cybersecurity standards and practical certification approaches for connected medical devices.
With the Internet of Medical Things (IoMT) revolutionizing patient care, increasing efficiency and improving healthcare quality, the VA aimed to find solutions for securing large-scale IoMT device deployments supporting mission-critical care delivery for roughly nine million patients under its care. Historically, patching and reconfiguring devices to extend service lifetimes has resulted in devices with outdated, vulnerable software, presenting cybersecurity challenges, and in turn, greater patient risk. Between 2016 and 2018, VA and UL used the UL 2900 Series of Standards as a benchmark to identify critical cybersecurity vulnerabilities in connected medical device deployment and lifecycle management as well as create baseline cybersecurity requirements for medical device manufacturers.
“The VA and UL teams drove the exchange of information between public and private sector knowledge and approaches to patient safety and security,” said Anura Fernando, chief innovation architect, Life and Health Sciences, UL. “This collaboration helped us uncover new insights and further accelerate the sharing of medical device cybersecurity information, standards and lifecycle requirements with the intention of benefitting not only the VA hospital system but also the larger U.S. healthcare system of providers and manufacturers.”
As part of the CRADA project, a task group of VA, UL and public sector and private collaborators convened to address healthcare technology challenges by identifying security gaps between in-home and in-facility care, ensuring product functionality for FIPS 140-2 compliance and accelerating the adoption of leading-edge equipment. The team also conducted a simulated “hacking” demonstration at a Veterans Health Administration (VHA) site in Tampa, Fla., using ICU Medical’s Plum 360 Infusion Pump, a UL 2900 certified medical device.
The task group worked closely for two years to test hypotheses and expand their knowledge of medical device cybersecurity. Key CRADA findings include:
“As the VA is dedicated to the safety and security of veterans, this report is reflective of two years of close collaboration among private and public sector experts in healthcare and cybersecurity,” said Marc Wine, director, Technical Integration Support and Industry Liaison, U.S. Department of Veterans Affairs. “The report findings will help the VA ensure safety for its patient community while also serving as a model for how we can continue to drive innovation within the larger healthcare ecosystem.”
For more information on this CRADA for medical devices cybersecurity standards and certification approaches, read the full report here.
For more information on the UL Cybersecurity Assurance Program and the UL 2900 Series and Standards, visit UL.com/cybersecurity. For product testing, evaluation or certification questions, email ULCyber@ul.com.
© 2018, TechNation Magazine. Site designed by MD Publishing, Inc.