Department of Veterans Affairs, UL partner on device security
The Department of Veterans Affairs and safety organization UL have developed a program for medical device security.
Officials of the organizations say the initiative addresses an existing gap in the marketplace for cybersecurity standards and certification for connected medical devices.
As the Internet of Medical Things shows increasing potential to impact patient care, boost efficiency and improve healthcare quality, the VA hopes to find solutions to secure large-scale IoMT device deployments to support critical care delivery for about 9 million patients under its care.
But maintaining these devices, and ensuring their resilience to cyber threats is difficult. To date, patching and reconfiguring devices to extend service lifetimes has resulted in devices with outdated and vulnerable software, the VA notes.
From 2016 to 2018, the VA and UL used the UL2900 Series of standards as a benchmark to identify critical cybersecurity vulnerabilities in connected medical device deployment and lifecycle management as well as create baseline cybersecurity requirements for medical device manufacturers.
"The VA and UL teams drove the exchange of information between public and private sector knowledge and approaches to patient safety and security," says Anura Fernando, chief innovation architect for Life and Health Sciences at UL. "This collaboration helped us uncover new insights and further accelerate the sharing of medical device cybersecurity information, standards and lifecycle requirements with the intention of benefitting not only the VA hospital system but also the larger U.S. healthcare system of providers and manufacturers."
As part of the project, a task group of VA, UL and public sector and private collaborators convened to address healthcare technology challenges by identifying security gaps between in-home and in-facility care, aiming to ensure product functionality. The VA and UL also demonstrated using ICU Medical’s Plum 360 infusion pump at a VA site in Tampa.
The task group worked closely for two years to test hypotheses and expand their knowledge of medical device cybersecurity. Key results of the effort included:
- Increased confidence among VA staff in ensuring product security, control design and post-market patch management support being offered by manufacturers.
- Improved compliance with UL enhanced endpoint security.
- Improved balance of network security controls.
- Enhanced allocation of cybersecurity resources.
- Improved pre-procurement product vetting and post-procurement product management.
“The report findings will help the VA ensure safety for its patient community while also serving as a model for how we can continue to drive innovation within the larger healthcare ecosystem,” says Marc Wine, director of technical integration support at VA.