How The VA and UL Created an Orchestrated Approach to Healthcare Cybersecurity Assurance

The goal is to establish a baseline of cybersecurity hygiene and assurance for devices that are part of the national critical infrastructure software supply chain.

In 2015, a "Cyber UL" was called for by U.S. national security stakeholders, and a follow-up meeting among UL and multiple federal agencies was convened by the General Services Administration.

Anura FernandoIn 2016, the UL Cybersecurity Assurance Program was developed and endorsed by the U.S. Department of Homeland Security under the Cybersecurity National Action Plan (CNAP).

In 2017, UL 2900-1 and UL 2900-2-1 cybersecurity standards were published as National Consensus Standards. These Standards were subsequently recognized and adopted by the FDA, and then later by jurisdictions such as Health Canada, the Australian Therapeutic Goods Administration and the South Korean Ministry for Food and Drug Safety.

Origins of the UL/VA Relationship on Medical Device Cybersecurity

The Cooperative Research and Development Agreement(CRADA) between UL and the U.S. Department of Veterans Affairs (VA) was initiated based on discussions between the two organizations stemming from broader ongoing discussions within the U.S. Software Supply Chain Assurance Forum, hosted by the U.S. Department of Homeland Security.

The first objective of the CRADA was to openly exchange information about UL's and the VA's respective organizational approaches to patient safety and security in comparison to private sector healthcare delivery organizations (HDOs) and other industry stakeholder practices.

The UL 2900 Series of Standards are continuously updated, and they evolve to keep pace with the changing security landscape. Thus, incorporation of any unique VA safety and security requirements into these Standards was an important goal of the CRADA.

Another objective of the CRADA was to examine how standards-compliant product security controls might allow for improvements in VA product procurement, deployment and in establishing better technical and economic balance between reliance on product versus network security controls.

A CRADA Task Group comprised of VA, UL and external subject matter experts was assembled to discuss VA challenges such as:

  • Providing treatment in non-VA facilities including in-home care
  • Coordinating connected technologies in emergency evacuation situations,
  • Minimizing deprecated product functionality for FIPS 140-2 compliance
  • Reducing Veterans Health Administration (VHA) site-specific variations in product deployment and operation,
  • Accelerating adoption of leading-edge equipment for new medical procedures

Marc WineThrough examining these challenges, the Task Group established a shared understanding of UL Standards' requirements and product certification, as well as full product lifecycle security management processes relative to the VA product evaluation processes.

The group conducted weekly "cross-walk" discussions of about 174 security requirements correlated among the UL 2900 Standards and VA Directive 6500 and Directive 6550. A capstone of the CRADA was a simulated "hacking" demonstration at a VHA site in Tampa, Florida using a UL 2900 Certified medical device, an ICU Medical Plum 360 Infusion Pump.

CRADA Findings and Conclusions

At the conclusion of the CRADA, the Task Group determined the following:

  • VA's use of the UL 2900 Standards and product certifications would be helpful in accelerating the adoption of innovative healthcare technologies through improved pre-procurement product vetting and post-procurement product management.
  • The product development process assessment, product security control design evaluation and post-market patch management support offered by UL 2900 testing and certification went beyond the current VA pre-procurement risk assessment capabilities and practices that are sometimes dependent upon manufacturer responses to form questionnaires.
  • Tools such as UL 2900 compliance and MedFusion that help balance the reliance on network security controls versus product security controls would allow for improved allocation of security resources, allowing the VA to better focus limited resources on the most significant emerging threats to veterans' security and safety.

Development of the VA MedFusion suite of tools resulted from a VA pilot, separate from this CRADA, at the VA Medical Center in Long Beach, California. The VA's MedFusion pilot independently confirmed the CRADA findings related to the benefits of multiple cybersecurity tools working in orchestration.

In today's high-risk Internet of Medical Things (IoMT) and cyber-warfare environment, one tool or individual line of cybersecurity solutions would likely not be able to satisfy the requirements for security and safety put forth by an HDO; hence, the aggregation of solutions branded as MedFusion was derived.

The VA UL CRADA discovered that healthcare is strengthened in terms of security and safety of connectable medical devices through in-depth cybersecurity defense, which can be readily demonstrated through examples such as the integration of MedFusion tools with the UL 2900-1 and UL 2900-2-1 cybersecurity standards.

Learning from the VA and UL cybersecurity research results, with respect to product-level management of vulnerabilities and threats to medical devices and their associated software algorithms, we can impact the quality of adoption of electronic health records and other data collection systems connected to the IoMT and consumers.

UL and the VA look forward to the lessons learned, through the CRADA, being disseminated across agencies to help inform policies related to establishing a baseline of cybersecurity hygiene and assurance for products that become part of the national critical infrastructure software supply chain.