Underwriters Lab researching medical device cybersecurity for VA

Underwriters Laboratories has inked a research deal with the Department of Veterans' Affairs to study the digital security of connected medical devices actually deployed in clinical settings, the first fruit of the venerable scientific safety standards outfit's campaign to become a cybersecurity baseline setter.

Underwriters Laboratories, Inc has signed a research deal with the Department of Veterans Affairs to study the digital security of connected medical devices actually deployed in clinical settings, the first fruit of the venerable scientific safety standards outfit’s campaign to become a cybersecurity baseline setter.

The Cooperative Research and Development Agreement, or CRADA, with the VA will give UL’s researchers the chance to observe digitally connected medical devices in use, and the data will aid the 122 year-old standards-setting for-profit develop an “end-to-end” picture of how best to manage the cybersecurity risks inherent in the coming internet of medical things.

“The VA is one of the largest hospital systems in the world,” UL Principal Engineer for Medical Software and Systems Interoperability Anura Fernando told FedScoop in an interview, noting that “they have a huge variety of clinical sites, each one very different … It is a really good environment to better learn about the risks” associated with the real-world deployment of connected medical systems.

For nearly a decade, security researchers have been identifying vulnerabilities in connected medical devices, like insulin pumps and pacemakers. Vice President Dick Cheney’s doctors famously disabled the wireless capabilities of his pacemaker, fearing that a would-be assassin might try to hack it.


But until now, security research has focused on finding theoretical vulnerabilities or weaknesses in an individual device — generally in a laboratory setting, rather than a real world deployment. Moreover, said Fernando, those weaknesses, once discovered, “may require mitigation or management at the system level” — meaning it would be hard to measure the effectiveness of mitigation outside of a real-world deployment.

While UL researchers will look “through the product lens,” said Fernando, the ultimate objective is “managing cyber risks across the whole continuum of care and the clinical workflow from end to end.”

“The lessons learned can be applied in the private [health care] sector,” he said, after the deal concludes in December.

The CRADA deal was “a first step” that will “set the stage for us to move … to other areas where research is needed,” Fernando said.

Some of the 122-year old UL’s earliest successes were connected with the emergence of electricity being piped to homes for the first time, said Fernando — creating a need for safety standards so that electrical appliances did not cause house fires. 


“We built a foundation of safety science,” he said. “We’re taking that model and applying it to cyber, building a comparable foundation” for today’s latest ground-changing technology.

Fernando also defended UL from charges that its cybersecurity assurance program lacked transparency, because it charges for its documentation.

“There are people out there who want everything to be freely available,” he said, “but the standards world doesn’t work that way. Developing these standards is expensive … All the other standards organizations” charge for their products

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to the Daily Scoop to get all the federal IT news you need in your inbox every morning at 

Latest Podcasts