The U.S. Department of Veterans Affairs (VA) and UL (Underwriters Laboratories) announced a signed Cooperative Research and Development Agreement (CRADA) program to create medical device cybersecurity standards and certification approaches. CRADA was established as part of the Federal Technology Transfer Act of 1986 to encourage the creation of teams to solve technological and industrial problems for the greater benefit of the country. (See Figure 1)

Fig. 1 – The U.S. Department of Veteran Affairs (VA) and UL (Underwriters Laboratories) announced a signed Cooperative Research and Development Agreement (CRADA) program to create medical device cybersecurity standards and certification approaches.

This CRADA project will support improvement of patient safety and security for veterans through the use and verification of UL’s Cybersecurity Assurance Program (CAP). Working with UL, the VA’s Office of Information & Technology will refine existing and emerging standards and practices related to network connectable medical devices, medical device data systems, and related health information technology. Both parties expect the project to accelerate the sharing of medical device cybersecurity information, standards, and lifecycle requirements to create a safety certification framework for veterans.

Medical devices are susceptible to cybersecurity attacks, creating both patient safety risks and disclosure risks for protected health information. The VA and UL will seek to address an existing gap in the marketplace for cybersecurity standards and practical certification approaches for connected medical devices. Historically, the ability to patch and reconfigure devices, combined with very long service lifetimes, results in devices with old, vulnerable software and presents challenges in the defense against cybersecurity attacks of medical devices.

“Working together with the VA, we will contribute to industry-wide situational awareness of both medical device vulnerabilities and threats,” said Anura Fernando, UL Principal Engineer for Medical Software & Systems Interoperability. “We believe that this project will positively impact the direction that manufacturers take in improving the overall security posture of medical cyber assets.”

This agreement was reached soon after UL announced its new Cybersecurity Assurance Program (CAP) in April. CAP uses the new UL 2900 series of standards to offer testable cybersecurity criteria for network-connectable products and systems that assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls, and increase security awareness.

The CAP program was established with input from major stakeholders representing government, academia, and industry to help vendors identify security risks in their products and systems, and suggest methods for mitigating those risks in a wide range of applications, including industrial control systems, medical devices, automotive, HVAC, lighting, smart home systems, appliances, alarm systems, fire systems, building automation, smart meters, network equipment, and consumer electronics.

CAP specifically addresses the U.S. White House Cybersecurity National Action Plan (CNAP), designed to enhance cybersecurity capabilities within the U.S. government and across the country. UL’s CAP services and software security efforts were recognized within the CNAP as a way to test and certify network-connectable devices used by critical infrastructures, such as energy, utilities, and healthcare.

This CRADA project will be completed in December of this year.

For more information, visit www.ul.com/cybersecurity .