Open any browser and type in the phrase medical device hacks and you’ll get over 15 million results. Not that the number of results directly reflect the actual number of incidents, it does demonstrate the scope of the problem – any connected device has the potential to be hacked (especially medical devices).
Until recently, recognized standards and guidance for medical device cybersecurity had been conflicted. Published guidance tended to not properly address true security concerns in healthcare environments with connected medical devices. That changed when the FDA adopted UL 2900-2-1 as a ‘consensus standard’ for premarket certification of connected medical devices.
UL 2900-2-1 is part of a larger set of documents developed with the input from multiple key stakeholders, and approved by the American National Standards Institute (ANSI). The standard primary addresses the need for cybersecurity in network-connected products and lays out a series of requirements to address the issue.
According to Gartner’s Hype Cycle for IoT Standards and Protocols, 2019, overall “adoption of the UL 2900 is nascent but rapidly growing,” however it provides needed guidance for cybersecurity in IoT related environments. The standard does not spell out a list of ‘how to’ steps for design and testing, but provides a structure for a solid proactive security stance. The clear message from the FDA is that failing to adequately address cybersecurity could keep your products off the shelf.
Safety and Security
The UL 2900 specification highlights various requirements to meet cybersecurity standards during multiple stages of a product lifecycle. Some organizations will need to augment their existing development processes with specific testing, analysis or review to help meet the demands of the newly adopted standard. However, a common organizational change reflects the need for a security organization that interfaces with product teams throughout their product lifecycle much the same as safety monitoring is handled today. This allows a company to build and mature a holistic security program that aligns accepted standards (UL 2900-2-1:2018 and others) with their internal development processes. This promotes development teams, along with the security organization, to discover and mitigate security risks throughout a product’s lifecycle.
Building security risk analysis and remediation processes into the full product lifecycle, just like continuously evaluating safety risk, is essential for achieving the desired result (a dependable, safe, and secure product). Establishing a holistic approach to medical device security as a new design parameter does not happen overnight. Organizational change and maturity require time, resources, and budget to accomplish.