May 19, 2020
Recent guidance published by the International Medical Devices Regulators Forum (IMDRF) that covers medical device cybersecurity best practices includes recommendations that manufacturers comply with the UL 2900 set of standards for network-connectable devices.
The IMDRF guidance cites UL 2900-1:2017 covering software cybersecurity for network-connected medical devices, as well as UL 2900-2-1:2017 for requirements particular to network-connectable healthcare and wellness system components. Both standards are included in the References section of the guidance.
The guidance covers six key recommendations for cybersecurity best practices:
Although adherence to IMDRF guidelines in and of themselves does not guarantee market access for device manufacturers, market regulators in the US, European Union, Japan and other jurisdictions are members of the organization and use it as a forum to drive global harmonization of regulatory expectations. Companies able to demonstrate that they meet IMDRF best practices for cybersecurity via certification to UL 2900 standards may leverage these certifications to help meet regulatory requirements from the US Food and Drug Administration and other medical device market oversight bodies, including some purchasers.
“Inclusion of UL 2900-1 and UL 2900-2-1 in the latest IMDRF guidance provides further evidence that these standards have become trusted indicators of cybersecurity risk management for connected devices,” says Anura Fernando, Chief Innovation Architect for Medical Systems Interoperability & Security at UL Life & Health Sciences.
“Following recognition of the UL 2900 standards by a number of individual countries, to support medical device manufacturers’ cybersecurity claims, the new IMDRF recognition should help drive even greater awareness of these standards among connected device manufacturers and regulators for establishing a common baseline of cybersecurity hygiene for medical devices across international markets.”
EMERGO SUMMARY OF KEY POINTS:
US Department of Veterans Affairs test-drives UL 2900 cybersecurity standard for medical device procurement
For healthcare product and medical device technology developers, ensuring effective support for c