The FDA now recognizes UL 2900-2-1 and UL 2900-1, the first guidance that sets specific criteria for cyber security testing of connected medical devices.
Recently, the U.S. Food and Drug Administration (FDA) officially announced that it formally recognizes UL 2900-2-1. The announcement follows up the FDA’s acceptance last year of UL 2900-1, the first publication in the UL 2900 series of standards for cyber security. UL 2900-2-1 is the first FDA guidance that sets specific criteria for cyber security testing of network-connected medical devices and supports existing risk-based methodologies.
While the FDA cannot mandate the use of a standard, their guidance has powerful implications for premarket certification (510k). Going forward, vendors seeking to submit a 510(k) should have artifacts that highlight their cyber security testing. Many organizations already perform some level of cyber security testing, but the adoption of UL 2900-2-1 will level and hopefully raise the bar for security testing. Indeed, some products may not be capable of achieving certification.
Industrywide use of UL 2900-2-1 will not happen overnight. It will take time for organizations to review and implement changes for current and future products. For many connected devices already in use, there aren’t any effective means to update them if a vulnerability is disclosed. The shift toward more secure connected medical devices may be slow, but FDA adoption of UL 2900-2-1 is a critical step.
UL 2900-2-1 specifies requirements for network-connected medical devices but does not specify which testing methods to use. UL 2900-1 contains the core set of testing criteria needed to achieve CAP certification (see below). Devices with patient safety impact may need to meet or exceed the testing parameters outlined in UL 2900-1. The manufacturer must define the criteria after considering both the standard and the product’s risk factors.
UL also runs the UL Cybersecurity Assurance Program (CAP), which offers certification: “Based on UL 2900-2-1, CAP provides a framework to ensure risks from known vulnerabilities and malware have been addressed through structured penetration testing, evaluation of product source code, and analysis of software bill of materials (SBOM). The program also assists manufacturers with managing compliance throughout the product lifecycle to meet FDA’s post-market cybersecurity expectations.”
The clear requirements outlined in UL 2900-2-1—particularly the one for 14-day patching from the discovery of a defect—will drive change in the medical device industry. An important aspect of security for connected medical devices is that manufacturers must continuously monitor for newly disclosed vulnerabilities. If they don’t know the full list of dependencies for a software package, it’s difficult to patch that software in the event of a security disclosure. For example, if a connection occurs over Bluetooth, you have to know which Bluetooth stack is in use before you can patch the correct one. While it is unclear how patching will work, the requirement is a wake-up call.
Many risk-based discussions will also drive testing. For example, using UL 2900-1 as a guideline, a device being fuzz tested must recover functionality within two minutes. This is acceptable for network traffic—but not for one that affects patient safety. Organizations must determine and present their testing methodologies and results based on their unique risk assessments.
Our application security testing tools help you test your solutions throughout the software development life cycle so you can meet the requirements of UL 2900-2-1. If your team doesn’t have the expertise or bandwidth to address the new cyber security requirements, our experts can help. Learn more now: