May 19, 2020

Recent guidance published by the International Medical Devices Regulators Forum (IMDRF) that covers medical device cybersecurity best practices includes recommendations that manufacturers comply with the UL 2900 set of standards for network-connectable devices.

The IMDRF guidance cites UL 2900-1:2017 covering software cybersecurity for network-connected medical devices, as well as UL 2900-2-1:2017 for requirements particular to network-connectable healthcare and wellness system components. Both standards are included in the References section of the guidance.

The guidance covers six key recommendations for cybersecurity best practices:

  • Using risk-based approaches for design and development of medical devices;
  • Ensuring safety, performance and security of devices as well as their connected healthcare infrastructures;
  • Treating cybersecurity as a shared responsibility among manufacturers, healthcare providers, regulators and other stakeholders;
  • Issuing recommendations to stakeholders in order to minimize risks of patient harm across a device’s total product life cycle;
  • Establishing consistently defined cybersecurity terms as well as best practices for achieving and maintaining device cybersecurity;
  • Developing and promoting broad data sharing policies regarding cybersecurity incidents, threats and vulnerabilities.

Although adherence to IMDRF guidelines in and of themselves does not guarantee market access for device manufacturers, market regulators in the US, European Union, Japan and other jurisdictions are members of the organization and use it as a forum to drive global harmonization of regulatory expectations. Companies able to demonstrate that they meet IMDRF best practices for cybersecurity via certification to UL 2900 standards may leverage these certifications to help meet regulatory requirements from the US Food and Drug Administration and other medical device market oversight bodies, including some purchasers.

“Inclusion of UL 2900-1 and UL 2900-2-1 in the latest IMDRF guidance provides further evidence that these standards have become trusted indicators of cybersecurity risk management for connected devices,” says Anura Fernando, Chief Innovation Architect for Medical Systems Interoperability & Security at UL Life & Health Sciences.

“Following recognition of the UL 2900 standards by a number of individual countries, to support medical device manufacturers’ cybersecurity claims, the new IMDRF recognition should help drive even greater awareness of these standards among connected device manufacturers and regulators for establishing a common baseline of cybersecurity hygiene for medical devices across  international markets.”

Learn more about connected medical device cybersecurity regulations at Emergo by UL:

  • Cyber regulatory support for connected medical devices and technologies
  • Secure development lifecycle management of connected devices
  • Webinar: Mapping cybersecurity standards to US FDA guidance

Author

  • Stewart Eisenhart

Related

FDA Adds UL 2900 for Medical Device Cybersecurity to List of Recognized Standards

EMERGO SUMMARY OF KEY POINTS:

  • The US FDA has now officially recognized the UL 2900 cybersecurity standard for medical devices.
  • UL 2900-1 covers general cybersecurity requirements for network-connectable devices.
  • FDA medical device applicants may now declare conformity to UL 2900-1 in order to address cybersecurity requirements as part of their US market registration.
Read more

CRADA report from UL and US VA: Procurement as driver of medical device cybersecurity

US Department of Veterans Affairs test-drives UL 2900 cybersecurity standard for medical device procurement

Read more

What cybersecurity compliance support should look like for healthcare product developers

For healthcare product and medical device technology developers, ensuring effective support for c

Read more

Have questions on what Emergo can do for you?

CONTACT US