US FDA Recognizes New Cybersecurity Standard UL 2900-2-1

Home > Thought Leadership > Medical Device Design Industry Blog > US FDA Recognizes New Cybersecurity Standard UL 2900-2-1

Author: Keith Handler | Date: February 7, 2019

What Does it Mean for the Medical Device Industry?

The current ever-changing landscape of cybersecurity threats and hazards, amongst ransomware campaigns and remote vulnerability cracks, call for medical device manufacturers to better prepare their products for lifetime security. Regulations are pushing manufacturers to ensure that their products stay secure long after they are taken off the shelf, all while keeping in mind new cybersecurity risks might evolve.

This past June, the FDA subtly announced a change in pre-market certification 510(k), the adoption of UL 2900-2-1 to streamline product review. UL standard developments have been a collaborative effort within the industry, most notably in part with the American National Standards Institute (ANSI) guidelines and FDA pre-market and post-market cybersecurity. “UL”, or Underwriters Laboratories, is under the 2900 standards for cybersecurity in network-connectable products. UL 2900-2-1 is specific to the healthcare and medical devices industry. This new standard, though not a mandate, provides a new guideline that could ultimately be the deciding factor to getting medical devices on the shelves and staying there.

Improved Cybersecurity Expectations

The framework offered by UL 2900-2-1 calls for a specialized cybersecurity team to create a mature cybersecurity system with a fully organized holistic approach that complements other standards found within UL 2900. Recommendations for specific analysis and testing techniques note structured penetration testing, evaluation of product source code, and analysis of software bill of materials (SBOM).

These tests provide evidence for actions taken to mitigate cybersecurity vulnerabilities, malware, and software hazards. The expertise of cybersecurity specialists at Sterling, such as in cryptography and multi-platform environment development, ensure that they are well versed in the necessary skills to compose and conduct these systems. Well-developed experience is especially necessary with the addition of more complex methodologies, including static analysis, software composition analysis (SCA), dynamic application security testing (DAST), and interactive application security testing (IAST).

Along with providing this framework, UL 2900-2-1 creates a comprehensive standard of reporting data and records of risk mitigation. The documentation of security controls, lifecycle security processes, and intended use are used for submission to the FDA premarket reviews under the 510(k) Premarket Notification program.

Change Over Time: The New Cybersecurity Mentality

A need for improved cybersecurity standards has been long been put off, despite adverse consequences medical device companies have already faced due to not adequately approaching possible hazards and risks. Global competitors are all now on the move to integrate these guidelines into their development process. However, seeing a clear change in the industry as a whole may take a few more decades. After all, many devices currently used to serve patients today are meant to last a lifetime. Thus, even as new products improve, it will take some time for these products to be integrated into utilization.

Sterling’s intuitive quality system management and remediation services aid in assisting medical device companies into adopting these new standards into their product design and development to increase the efficacy in which this transition occurs. You can learn more about Sterling’s cybersecurity, quality systems, and remediation services here.

Share this!