Mitigating cybersecurity threats is increasingly difficult in today’s environment. Although there have not yet been patient injuries as a result of a cyberattack, this is a very real threat that medical device companies face as more products require connectivity within the home and the hospital setting. A program recently launched by UL aims to help device manufacturers mitigate such security risks in their devices and systems. Anura Fernando, principal engineer at UL, explains how the Cybersecurity Assurance Program (CAP), which was created with the help of The White House, the U.S. Department of Homeland Security (DHS) and other key industry stakeholders, will help device manufacturers up their cybersecurity hygiene game.
MedTech Intelligence: What are the goals of the Cybersecurity Assurance Program?
Anura Fernando: When we look at healthcare, more and more, it has significantly transitioned away from paper records to electronic health records. As those electronic capabilities have come into play, medical devices are also starting to provide data directly into those electronic health systems. The devices are starting to connect to each other, and the capabilities of those connected devices as a collective are becoming strongly leveraged. When we developed the UL Cybersecurity Assurance Program, we were thinking about that environment. It was that infrastructure that the U.S. government and others were concerned about protecting from the perspective of our national security, and from a broader perspective, the safety and security of law-abiding people around the world as malicious users and hackers are increasing finding ways to penetrate into our lives. There were a lot of different activities emerging—various standards organizations and government agencies, etc. that were developing requirements and programs. But we noticed that there was a very specific area around testing and certification that hadn’t been addressed. We wanted to understand the current state of cybersecurity hygiene and what we could do to establish a baseline of cybersecurity hygiene that the industrial control sector and the healthcare and consumer sectors could use as a baseline of where they should be [at a minimum. Once you start to meet the baseline, every manufacturer would strive to reach [their] highest potential in terms of security risk controls.
[The CAP] was driven significantly with government support in terms of agencies telling us their needs and through public-private partnerships with government agencies (i.e., The Software and Supply Chain Assurance forum was a big one), industry and academia. Our next phase is to go through a formal ANSI (American National Standards Institute) consensus process of balancing with multiple stakeholders to mature these requirements to the next level.
MTI: How well versed are medical device manufacturers in cybersecurity and ensuring that connected devices are secure?
Fernando: As with most industries, there’s a broad spectrum of security maturity across medical device manufacturers. There are very well established and experienced manufacturers of product portfolios that have been dealing with security issues for many decades and know well what they can do to improve their security posture. At the other end of spectrum, there are [companies], for example, new entrants into the medical device space such as mobile medical apps manufacturers, who may have never been involved in developing medical devices and are struggling to understand the challenges of getting into a heavily regulated market and so security becomes, in some cases, a very small piece of all the things they have to deal with.
In addition to CAP’s testing and certification, [the program] gives us a level of engagement that helps us educate device manufacturers that are new to the space, or even those who have been within the space but haven’t understood some of the core security issues.
“As long as we know what the threat is out there, we can respond. It’s when we don’t know what the threats are or we don’t share information and understand what kind of risk controls we need to consider—that’s when we become weaker relative to the adversaries.” – Anura Fernando
MTI: How will UL’s 2900 series of standards help device manufacturers navigate the cybersecurity landscape?
Fernando: The requirements were developed to look at testability, repeatability and certification. The certification provides visibility across the healthcare continuum and the supply chain. Much like an architect might use UL directories to look for building materials, from the healthcare delivery perspective, hospitals and other healthcare delivery organizations can leverage this program to understand what products are out there that already have security baked in to take advantage of those security risk controls when they integrate those devices into a larger system and their IT networks. As device manufacturers provide completed devices to the hospital, [the series] provides tools by which they can start to understand what their supply chains look like. For example, if they’re using open source software, it’s very easy to lose sight of security vulnerabilities that are introduced into those supply chain dynamics. Part of what the UL CAP does is look at a software bill of materials from end to end. So as a device manufacturer, you may gain insights into the software components in your device that might get lost in the shuffle as you’re going through the product development cycle.
Also, there are some issues happening right now in the field where malware is getting out from production manufacturing facilities and into the environment. Helping manufacturers recognize when malware may have crept into their development process is another part of what the UL CAP does. Once the product is manufactured, that’s not the end of story. Having a mechanism to patch and upgrade the software and make sure that those mechanisms are disclosed across the supply chain [keeps] product manufacturers engaged with the system integrator and healthcare providers. [This helps both parties] work together to recognize when new vulnerabilities and types of malware come out so they can collaborate more effectively to manage those changes. It is very much the intention of the UL CAP to find the path of least resistance to get manufacturers to start doing more of the right things to see and address vulnerabilities and [thus] raise the bar of cybersecurity hygiene.