UL 2900 offers testable cybersecurity criteria for network-connectable products and systems
The US Food and Drug Administration (US FDA) announced the recognition of UL 2900, developed by UL, a global safety science company, as an FDA recognised consensus standard for use in addressing medical device cybersecurity concerns in pre-market review submissions.
The FDA recognition of UL 2900 signifies that manufacturers now have a standard to provide objective evidence to demonstrate their devices meet FDA expectations for medical device cybersecurity.
Building on its 2014 pre-market guidance, the US FDA issued additional guidance in December 2016 – ‘Post-market Management of Cybersecurity in Medical Devices’ – that provided recommendations for managing the security risk of medical devices already on the market. After working closely with regulators and industry stakeholders, UL’s recently recognised UL 2900 standard offers testable cybersecurity criteria to assess software vulnerabilities and weaknesses minimise exploitation, address known malware, review security controls and increase security awareness for network-connectable products in development as well as devices currently on the market.
“UL 2900 is a comprehensive, evolving standard that will provide medtech manufacturers the advantage of incorporating cybersecurity features at the design stage itself. The acceptance of the UL 2900 standard by the US FDA reflects the growing importance of addressing cybersecurity parameters in evaluating the safety of medical devices, an additional dimension to the concept of safety itself. Despite the challenges in constantly updating the standard to reflect evolving risks, UL will continue to work with stakeholders to drive harmonisation and expect cybersecurity to follow a similar path to that of other globally harmonised safety standards,” says Jibu Mathew, Business Head, Life Sciences, UL.