EMERGO SUMMARY OF KEY POINTS:

• A medical device and healthcare networking cybersecurity standard from UL is being recognized by the US Food and Drug Administration.
• The UL 2900 set of standards will enable US medical device market registrants to assemble evidence to demonstrate proper cybersecurity features for their products.
• Tools to demonstrate compliance with FDA cybersecurity requirements should help device manufacturers and medical software developers in both pre- and post-market environments.

A set of standards published by UL to address medical device cybersecurity issues will soon be adopted by the US Food and Drug Administration to help manufacturers support security assurance claims.

The UL 2900 standards were developed as part of UL’s Cybersecurity Assurance Program (UL CAP) to provide manufacturers with testable and measurable criteria to assess medical device software vulnerabilities and security controls as well as identify security improvements. Included in the UL 2900 series of standards are:

• UL 2900-1: General requirements for software cybersecurity for network-connectable devices and products
• UL 2900-2-1: Particular requirements for network-connectable healthcare system components including medical devices and software
• UL 2900-2-2: Particular requirements for industrial control systems

ANSI adoption of UL 2900 already underway

Ahead of the FDA’s planned recognition of UL 2900, the American National Standards Institute (ANSI) has already granted consensus for UL 2900-1, and is in the process of adopting UL 2900-2-1 as well.

“UL 2900 provides device manufacturers with repeatable, reproducible tests that can provide objective evidence to support assurance claims regarding cybersecurity,” explains Anura Fernando, Principal Engineer, Medical Systems Interoperability & Security at UL. “UL CAP is based on the UL 2900 standard, and provides regulators and healthcare delivery organizations with certifications ensuring that standardized requirements for cybersecurity have been satisfied as part of a device’s premarket review and qualification.”

What FDA adoption of UL 2900 will mean for US registrants

Given pending adoption and implementation of the full UL 2900 set of standards for medical devices and software by ANSI and the FDA, how will US market registrants be impacted?

According to Fernando, UL 2900 requirements were developed in alignment with current FDA pre- and post-market cybersecurity guidance, as well as with ANSI Technical Panel guidelines; thus, the UL standards have been designed to support FDA regulatory submission processes.

“The FDA recognition process for UL 2900-1 has been completed, and a public announcement is anticipated in the next US Federal Register notice under List #47 of FDA Recognized Consensus Standards,” Fernando reports.

Manufacturers will be able to use UL 2900 certification to demonstrate that their devices meet regulatory requirements laid out in FDA pre- and post-market guidance, says Fernando.