What does cyber security mean for connected medical devices? Recently, the U.S. Food and Drug Administration (FDA) officially announced that it formally recognizes UL 2900-2-1. The announcement follows up the FDA’s acceptance last year of UL 2900-1, the first publication in the UL 2900 series of standards for cyber security. UL 2900-2-1 is the first FDA guidance that sets specific criteria for cyber security testing of network-connected medical devices and supports existing risk-based methodologies. What is the impact of the FDA’s adoption of UL 2900-2-1? While the FDA cannot mandate the use of a standard, their guidance has powerful implications for premarket certification (510k). Going forward, vendors seeking to submit a 510(k) should have artifacts that highlight their cyber security testing. Many organizations already perform some level of cyber security testing, but the adoption of UL 2900-2-1 will level and hopefully raise the bar for security testing. Indeed, some products may not be capable of achieving certification. How long will it take before we see a shift in connected medical devices? Industrywide use of UL 2900-2-1 will not happen overnight. It will take time for organizations to review and implement changes for current and future products. For many connected devices already in use, there aren’t any effective means to update them if a vulnerability is disclosed. The shift toward more secure connected medical devices may be slow, but FDA adoption of UL 2900-2-1 is a critical step. What’s in the UL 2900-2-1 standard? UL 2900-2-1 specifies requirements for network-connected medical devices but does not specify which testing methods to use. UL 2900-1 contains the core set of testing criteria needed to achieve CAP certification (see below). Devices with patient safety impact may need to meet or exceed the testing parameters outlined in UL 2900-1. The manufacturer must define the criteria after considering both the standard and the product’s risk factors.