Veterans Affairs

VA taps UL for medical device cybersecurity

Image from

The testing and safety firm Underwriters Laboratories is helping the Department of Veterans Affairs secure connected medical devices from cyberattack under a new agreement.

The agreement is being made under a technology transfer program called the Cooperative Research and Development Agreement Program. Under the deal, UL will offer its Cybersecurity Assurance Program to assist the agency's Office of Information and Technology with improving cybersecurity standards and practices for networked medical devices, medical device data systems and other IT systems and appliances.

"Vulnerabilities can arise from many different sources," Anura Fernando, the Global Principal Engineer for Medical Software and Systems Interoperability at UL, told FCW on June 16. UL is looking to work with VA on identifying those vulnerabilities in medical device software once the products are manufactured and provide a baseline cybersecurity hygiene platform.

The health care sector has been especially vulnerable to cyber attacks, in part because of applications like telemedicine and the use of connected devices. Part of the problem is that medical devices are durable by design, and can remain in use long after their underlying software goes out of support. Additionally, many were designed long before the cybersecurity threat facing institutions became so pronounced. And health records have proven to be especially attractive to identity thieves. Just this year, at least two major medical systems suffered ransomware attacks. 

"We really need to look at healthcare as part of our critical infrastructure," Fernando urged, stressing the importance of having "robust defenses in place" in order to protect systems from cyberattacks.

UL looks at the malware in products to determine what steps need to be taken in order for the medical devices to be effective and efficient for an agency like VA.

Last year, VA reported that the number of infected medical devices had decreased over time. But, since the agency still uses majority of legacy systems that have outdated software updates, there is no "silver bullet to flip the switch" on cybersecurity, Fernando said.  

The VA is not alone on this; DOD officials are attempting to establish security standards for buying medical devices as well. Richard Hale, DOD's deputy CIO for cybersecurity, has said that that it will take time to develop standards and it will be "painful for a while."

UL plans to wrap up the project with the VA by December of this year, and create a roadmap for the future on how to best move forward. 

About the Author

Aisha Chowdhry is a former staff writer for FCW.


  • Cybersecurity
    CISA chief Chris Krebs disusses the future of the agency at Auburn University Aug. 22 2019

    Shared services and the future of CISA

    Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency at DHS, said that many federal agencies will be outsourcing cyber to a shared service provider in the future.

  • Telecom
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA softens line on looming EIS due date

    Think of the September deadline for agencies to award contracts under the General Services Administration's $50-billion telecommunications contract as a "yellow light," said GSA's telecom services director.

  • Defense
    Shutterstock photo id 669226093 By Gorodenkoff

    IC looks to stand up a new enterprise IT program office

    The intelligence community wants to stand up a new program executive office to help develop new IT capabilities.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.