May 19, 2020

Recent guidance published by the International Medical Devices Regulators Forum (IMDRF) that covers medical device cybersecurity best practices includes recommendations that manufacturers comply with the UL 2900 set of standards for network-connectable devices.

The IMDRF guidance cites UL 2900-1:2017 covering software cybersecurity for network-connected medical devices, as well as UL 2900-2-1:2017 for requirements particular to network-connectable healthcare and wellness system components. Both standards are included in the References section of the guidance.

The guidance covers six key recommendations for cybersecurity best practices:

  • Using risk-based approaches for design and development of medical devices;
  • Ensuring safety, performance and security of devices as well as their connected healthcare infrastructures;
  • Treating cybersecurity as a shared responsibility among manufacturers, healthcare providers, regulators and other stakeholders;
  • Issuing recommendations to stakeholders in order to minimize risks of patient harm across a device’s total product life cycle;
  • Establishing consistently defined cybersecurity terms as well as best practices for achieving and maintaining device cybersecurity;
  • Developing and promoting broad data sharing policies regarding cybersecurity incidents, threats and vulnerabilities.

Although adherence to IMDRF guidelines in and of themselves does not guarantee market access for device manufacturers, market regulators in the US, European Union, Japan and other jurisdictions are members of the organization and use it as a forum to drive global harmonization of regulatory expectations. Companies able to demonstrate that they meet IMDRF best practices for cybersecurity via certification to UL 2900 standards may leverage these certifications to help meet regulatory requirements from the US Food and Drug Administration and other medical device market oversight bodies, including some purchasers.

“Inclusion of UL 2900-1 and UL 2900-2-1 in the latest IMDRF guidance provides further evidence that these standards have become trusted indicators of cybersecurity risk management for connected devices,” says Anura Fernando, Chief Innovation Architect for Medical Systems Interoperability & Security at UL Life & Health Sciences.

“Following recognition of the UL 2900 standards by a number of individual countries, to support medical device manufacturers’ cybersecurity claims, the new IMDRF recognition should help drive even greater awareness of these standards among connected device manufacturers and regulators for establishing a common baseline of cybersecurity hygiene for medical devices across  international markets.”

Learn more about connected medical device cybersecurity regulations at Emergo by UL:

  • Cyber regulatory support for connected medical devices and technologies
  • Secure development lifecycle management of connected devices
  • Webinar: Mapping cybersecurity standards to US FDA guidance


  • Stewart Eisenhart