FDA Adds UL 2900 for Medical Device Cybersecurity to List of Recognized Standards

EMERGO SUMMARY OF KEY POINTS:

• The US FDA has now officially recognized the UL 2900 cybersecurity standard for medical devices.
• UL 2900-1 covers general cybersecurity requirements for network-connectable devices.
• FDA medical device applicants may now declare conformity to UL 2900-1 in order to address cybersecurity requirements as part of their US market registration.

US medical device regulators have officially included a new cybersecurity standard from UL to their list of recognized standards for use in premarket reviews.

The UL standard, now published in the US Federal Register, is UL 2900-1 Ed. 1 2017, Standard for Software Cybersecurity Network-Connectable Products, Part I: General Requirements. The standard covers evaluations and tests of network-connectable devices in terms of vulnerabilities, malware and software weaknesses.

As Emergo previously reported, UL 2900-1 was developed to enable US medical device market registrants to demonstrate that their products meet pre- and post-market cybersecurity requirements found in FDA guidance. Now, FDA registrants may declare conformity to UL 2900-1 in order to address cybersecurity issues related to US market access.

Related FDA and cybersecurity information from Emergo

• US FDA 510(k) consulting support for medical device companies
• Medical device design, process and software validation support
• Regulatory consulting support for mobile medical and telehealth apps
• Webinar: Mapping cybersecurity standards to FDA guidance