VA taps UL for medical device cybersecurity

Testing and science firm UL will help the VA with a plan to protect connected medical IT from cyberattacks.

Image from Shutterstock.com

The testing and safety firm Underwriters Laboratories is helping the Department of Veterans Affairs secure connected medical devices from cyberattack under a new agreement.

The agreement is being made under a technology transfer program called the Cooperative Research and Development Agreement Program. Under the deal, UL will offer its Cybersecurity Assurance Program to assist the agency's Office of Information and Technology with improving cybersecurity standards and practices for networked medical devices, medical device data systems and other IT systems and appliances.

"Vulnerabilities can arise from many different sources," Anura Fernando, the Global Principal Engineer for Medical Software and Systems Interoperability at UL, told FCW on June 16. UL is looking to work with VA on identifying those vulnerabilities in medical device software once the products are manufactured and provide a baseline cybersecurity hygiene platform.

The health care sector has been especially vulnerable to cyber attacks, in part because of applications like telemedicine and the use of connected devices. Part of the problem is that medical devices are durable by design, and can remain in use long after their underlying software goes out of support. Additionally, many were designed long before the cybersecurity threat facing institutions became so pronounced. And health records have proven to be especially attractive to identity thieves. Just this year, at least two major medical systems suffered ransomware attacks. 

"We really need to look at healthcare as part of our critical infrastructure," Fernando urged, stressing the importance of having "robust defenses in place" in order to protect systems from cyberattacks.

UL looks at the malware in products to determine what steps need to be taken in order for the medical devices to be effective and efficient for an agency like VA.

Last year, VA reported that the number of infected medical devices had decreased over time. But, since the agency still uses majority of legacy systems that have outdated software updates, there is no "silver bullet to flip the switch" on cybersecurity, Fernando said.  

The VA is not alone on this; DOD officials are attempting to establish security standards for buying medical devices as well. Richard Hale, DOD's deputy CIO for cybersecurity, has said that that it will take time to develop standards and it will be "painful for a while."

UL plans to wrap up the project with the VA by December of this year, and create a roadmap for the future on how to best move forward.