Software Integrity Blog

Author Archive

Chris Clark


Chris is a 22-year veteran of the information technology world who uses his experience in management, information systems, and cyber security to help organizations effectively integrate meaningful security practices into their environments. Chris holds a master's in cybersecurity from the University of Maryland University College and has held numerous certifications throughout his career. Chris has worn many hats, including roles as project manager, director of information systems, hospital system CIO, and principal security engineer. Chris also participates in numerous standards bodies to ensure effective security requirements are included in the development of future standards. Chris currently is focusing on educating customers on how to minimize their cyber security risks by engaging with customers and sharing his knowledge and experiences in the hopes of building a more cyber resilient future.

Posts by Chris Clark:


Building security into connected medical devices

What does cyber security mean for connected medical devices? Recently, the U.S. Food and Drug Administration (FDA) officially announced that it formally recognizes UL 2900-2-1. The announcement follows up the FDA’s acceptance last year of UL 2900-1, the first publication in the UL 2900 series of standards for cyber security. UL 2900-2-1 is the first FDA guidance that sets specific criteria for cyber security testing of network-connected medical devices and supports existing risk-based methodologies. What is the impact of the FDA’s adoption of UL 2900-2-1? While the FDA cannot mandate the use of a standard, their guidance has powerful implications for premarket certification (510k). Going forward, vendors seeking to submit a 510(k) should have artifacts that highlight their cyber security testing. Many organizations already perform some level of cyber security testing, but the adoption of UL 2900-2-1 will level and hopefully raise the bar for security testing. Indeed, some products may not be capable of achieving certification. How long will it take before we see a shift in connected medical devices? Industrywide use of UL 2900-2-1 will not happen overnight. It will take time for organizations to review and implement changes for current and future products. For many connected devices already in use, there aren’t any effective means to update them if a vulnerability is disclosed. The shift toward more secure connected medical devices may be slow, but FDA adoption of UL 2900-2-1 is a critical step. What’s in the UL 2900-2-1 standard? UL 2900-2-1 specifies requirements for network-connected medical devices but does not specify which testing methods to use. UL 2900-1 contains the core set of testing criteria needed to achieve CAP certification (see below). Devices with patient safety impact may need to meet or exceed the testing parameters outlined in UL 2900-1. The manufacturer must define the criteria after considering both the standard and the product’s risk factors.

Continue Reading...

Posted in Healthcare Security, Medical Device Security | Comments Off on Building security into connected medical devices