Why UL and the VA Teamed up on Medical Device Cybersecurity

The U.S. Department of Veterans Affairs and UL have completed a two-year Cooperative Research and Development Agreement focused on medical device security. “This was a first-of-its-kind engagement,” said Anura Fernando, chief innovation architect of medical systems interoperability and security at UL. The collaboration took place from 2016 to 2018. 

The backstory behind the news dates back five years ago. Michael Daniel, then the White House’s national cybersecurity coordinator, said he was “intrigued” by the prospect of a UL-style organization focusing on cybersecurity in April 2015. Given UL’s history protecting critical infrastructure such as electrical networks and home wiring infrastructure and so forth, the idea was also compelling to executives at UL. And the organization would go on to create the underpinnings for such an organization. 

Also adding fuel to the effort was the 2015 announcement from the U.S. Office of Personnel Management that it was the victim of a cyberattack that exposed records of up to 4 million people. After that, the General Services Administration convened a variety of government agencies to discuss why breaches such as the OPM were a reality, despite the U.S. government’s history of following cybersecurity best practices and standards. UL executives were invited to the meeting, as well. 

“We concluded there was a fundamental need for repeatable, reproducible test-based standards that would generate objective evidence that could substantiate claims of security and recommend best practices to follow,” Fernando said. 

That conclusion motivated UL to create its cybersecurity-based 2900 standards to fill what Fernando described as an “open niche” in the standards landscape. “The UL 2900-1 standard had the general requirements that were intended to cut across critical infrastructure industry sectors,” he said. “And then UL 2900-2-1 was tailored for health care, in particular, being aligned with FDA guidance documents and things like that.” 

In the process of creating a seed document for the standards, UL executives sought input from a variety of organizations. “And as part of those precursor discussions, we engaged in a meeting with [The United States Department of Veterans Affairs] around the margins of the Software Supply Chain Assurance Forum,” Fernando said. 

The U.S. Department of Veterans Affairs, which cares for approximately 9 million patients, was looking for more effective strategies to manage its cybersecurity posture.  

One of the outcomes of those conversations between UL and the VA was the idea to launch a cooperative research and development agreement. “We launched the CRADA in part to solicit specific needs that were being seen for helping provide care to veterans — not only within the Veterans Health Administration facilities but also [for] telemedicine [applications].” 

The partnership with the VA also provided valuable feedback to UL as it began to move from drafting the standards to tapping the American National Standards Institute for consensus building. “Everything worked out really well from a timing point of view,” Fernando said.  

In 2017, the Food and Drug Administration announced it recognized the UL 2900-1 standard. A number of other regulatory agencies across the world, from Health Canada to South Korea’s Ministry of Science and ICT, also support the standard.

Another fortuitous event is that the medical device company ICU Medical contacted UL with the intent of receiving certification under the UL Cybersecurity Assurance Program. It ultimately became the first to do so. 

“Whenever you put a new standard out there, it’s great to have somebody see value in it and then step up and lead the market with it,” Fernando said. 

ICU Medical’s early involvement with UL led to the use of its Plum 360 infusion pump in a security control testing demonstration with UL at a Veterans Health Administration facility. The product, which met UL 2900 standards, also demonstrated its security controls were sufficient to thwart a variety of simulated attacks at a VA facility. 

In the long run, Fernando said he expects the CRADA to lead to cybersecurity gains at both the VA and across the U.S. health care system. In particular, such collaborations can help address concerns that have become apparent recently. Examples include the threat of cyberwarfare as well as ransomware targeting health care establishments. 

A decade ago, the topic of medical cybersecurity was research-oriented and non-adversarial. “We’re also looking at this from a cyberwarfare perspective and health care as critical infrastructure that could potentially be attacked,” Fernando said. “We are also looking at the threat of organized crime.” 

Added to the mix is the struggle of the broader health care ecosystem to reduce costs and take care of the aging population, which, in turn, has led to an uptick in interest in connected medical devices to help drive efficiency and to support at-home health care. 

Given these risks, the CRADA and the supporting UL 2900 standards are more pertinent than its architects could have imagined.