US FDA Recognizes New Cybersecurity Standard UL 2900-2-1

Author: Keith Handler | Date: February 7, 2019

What Does it Mean for the Medical Device Industry?

The current ever-changing landscape of cybersecurity threats and hazards, amongst ransomware campaigns and remote vulnerability cracks, call for medical device manufacturers to better prepare their products for lifetime security. Regulations are pushing manufacturers to ensure that their products stay secure long after they are taken off the shelf, all while keeping in mind new cybersecurity risks might evolve.

This past June, the FDA subtly announced a change in pre-market certification 510(k), the adoption of UL 2900-2-1 to streamline product review. UL standard developments have been a collaborative effort within the industry, most notably in part with the American National Standards Institute (ANSI) guidelines and FDA pre-market and post-market cybersecurity. “UL”, or Underwriters Laboratories, is under the 2900 standards for cybersecurity in network-connectable products. UL 2900-2-1 is specific to the healthcare and medical devices industry. This new standard, though not a mandate, provides a new guideline that could ultimately be the deciding factor to getting medical devices on the shelves and staying there.

Improved Cybersecurity Expectations

The framework offered by UL 2900-2-1 calls for a specialized cybersecurity team to create a mature cybersecurity system with a fully organized holistic approach that complements other standards found within UL 2900. Recommendations for specific analysis and testing techniques note structured penetration testing, evaluation of product source code, and analysis of software bill of materials (SBOM).

These tests provide evidence for actions taken to mitigate cybersecurity vulnerabilities, malware, and software hazards. The expertise of cybersecurity specialists at Sterling, such as in cryptography and multi-platform environment development, ensure that they are well versed in the necessary skills to compose and conduct these systems. Well-developed experience is especially necessary with the addition of more complex methodologies, including static analysis, software composition analysis (SCA), dynamic application security testing (DAST), and interactive application security testing (IAST).

Along with providing this framework, UL 2900-2-1 creates a comprehensive standard of reporting data and records of risk mitigation. The documentation of security controls, lifecycle security processes, and intended use are used for submission to the FDA premarket reviews under the 510(k) Premarket Notification program.

Change Over Time: The New Cybersecurity Mentality

A need for improved cybersecurity standards has been long been put off, despite adverse consequences medical device companies have already faced due to not adequately approaching possible hazards and risks. Global competitors are all now on the move to integrate these guidelines into their development process. However, seeing a clear change in the industry as a whole may take a few more decades. After all, many devices currently used to serve patients today are meant to last a lifetime. Thus, even as new products improve, it will take some time for these products to be integrated into utilization.

Sterling’s intuitive quality system management and remediation services aid in assisting medical device companies into adopting these new standards into their product design and development to increase the efficacy in which this transition occurs. You can learn more about Sterling’s cybersecurity, quality systems, and remediation services here.

Share This!

Resources

October 24, 2018

Software FMEA

The Effective Software FMEA Risk Management Approach Software FMEA, (Software Failure Modes and Effects Analysis) is a method of risk management that identifies single-fault failure modes in...
Read More >
View More Blogs

February 18, 2021

5 Mistakes Medical Device Startups Make

Startups are the lifeblood of medical device innovation. Without universities researching ways to solve pressing healthcare problems or doctors with experience in a particular field who have an idea to develop a prototype medical device that could help patients, the future technologies needed to help save lives wouldn't happen. But the long, arduous road through the FDA submission process to get market approval can take a long time and cost a lot of money without help. Sterling Medical Devices has been helping startups through the FDA approval process since 1998 without ever having a submission rejected.
Read More >
View More Videos
people developing a product

November 23, 2020

Sterling Helps Print Parts Win Contract with City of New York for Production of Medical-Grade Nasal Swabs

Sterling Medical Devices performed design services for a Class III breathing pacemaker with Major Level of Concern software, intended for use by patients who have lost neurological control of respiration. This life-sustaining device is comprised of two main components: an internal passive receiver and an external controller....
Read More >
View More Case Studies

Need help with your medical device?

Let Sterling Medical Devices show how to bring your idea from concept to prototype to
FDA/CE approval with a free custom project analysis.
Request Free Analysis