US FDA Recognizes New Cybersecurity Standard UL 2900-2-1

Author: Keith Handler | Date: February 7, 2019

What Does it Mean for the Medical Device Industry?

The current ever-changing landscape of cybersecurity threats and hazards, amongst ransomware campaigns and remote vulnerability cracks, call for medical device manufacturers to better prepare their products for lifetime security. Regulations are pushing manufacturers to ensure that their products stay secure long after they are taken off the shelf, all while keeping in mind new cybersecurity risks might evolve.

This past June, the FDA subtly announced a change in pre-market certification 510(k), the adoption of UL 2900-2-1 to streamline product review. UL standard developments have been a collaborative effort within the industry, most notably in part with the American National Standards Institute (ANSI) guidelines and FDA pre-market and post-market cybersecurity. “UL”, or Underwriters Laboratories, is under the 2900 standards for cybersecurity in network-connectable products. UL 2900-2-1 is specific to the healthcare and medical devices industry. This new standard, though not a mandate, provides a new guideline that could ultimately be the deciding factor to getting medical devices on the shelves and staying there.

Improved Cybersecurity Expectations

The framework offered by UL 2900-2-1 calls for a specialized cybersecurity team to create a mature cybersecurity system with a fully organized holistic approach that complements other standards found within UL 2900. Recommendations for specific analysis and testing techniques note structured penetration testing, evaluation of product source code, and analysis of software bill of materials (SBOM).

These tests provide evidence for actions taken to mitigate cybersecurity vulnerabilities, malware, and software hazards. The expertise of cybersecurity specialists at Sterling, such as in cryptography and multi-platform environment development, ensure that they are well versed in the necessary skills to compose and conduct these systems. Well-developed experience is especially necessary with the addition of more complex methodologies, including static analysis, software composition analysis (SCA), dynamic application security testing (DAST), and interactive application security testing (IAST).

Along with providing this framework, UL 2900-2-1 creates a comprehensive standard of reporting data and records of risk mitigation. The documentation of security controls, lifecycle security processes, and intended use are used for submission to the FDA premarket reviews under the 510(k) Premarket Notification program.

Change Over Time: The New Cybersecurity Mentality

A need for improved cybersecurity standards has been long been put off, despite adverse consequences medical device companies have already faced due to not adequately approaching possible hazards and risks. Global competitors are all now on the move to integrate these guidelines into their development process. However, seeing a clear change in the industry as a whole may take a few more decades. After all, many devices currently used to serve patients today are meant to last a lifetime. Thus, even as new products improve, it will take some time for these products to be integrated into utilization.

Sterling’s intuitive quality system management and remediation services aid in assisting medical device companies into adopting these new standards into their product design and development to increase the efficacy in which this transition occurs. You can learn more about Sterling’s cybersecurity, quality systems, and remediation services here.

Share This!


Sterling Medical Devices's Dan Sterling speaking

December 17, 2020

Here in New Jersey, Sterling Medical Devices Makes Med Tech to Order

Dan Sterling of Sterling Medical Devices | Screenshot by Esther Surden Suppose you are developing an implant that involves both hardware and software, or an external device for diagnosing a...
Read More >

November 5, 2020

Healight: The Moonshot Not Yet Heard Round the World

Imagine a technology so innovative and groundbreaking in its potential impact that its sponsor is calling it “a moonshot” and “an opportunity so big you could build an entire company around...
Read More >
Person working on medical device

October 29, 2020

Sterling Medical Devices Unveils Innovation Growth

MOONACHIE, NJ — Sterling Medical Devices, a leader in custom electro-mechanical and software solutions for the medical device industry, is pleased to announce the renovation of their Regulatory Affairs Department that will now focus on providing strategic guidance and collaboration...
Read More >

Need help with your medical device?

Let Sterling Medical Devices show how to bring your idea from concept to prototype to
FDA/CE approval with a free custom project analysis.
Request Free Analysis