Veterans Affairs

VA taps UL for medical device cybersecurity

Image from

The testing and safety firm Underwriters Laboratories is helping the Department of Veterans Affairs secure connected medical devices from cyberattack under a new agreement.

The agreement is being made under a technology transfer program called the Cooperative Research and Development Agreement Program. Under the deal, UL will offer its Cybersecurity Assurance Program to assist the agency's Office of Information and Technology with improving cybersecurity standards and practices for networked medical devices, medical device data systems and other IT systems and appliances.

"Vulnerabilities can arise from many different sources," Anura Fernando, the Global Principal Engineer for Medical Software and Systems Interoperability at UL, told FCW on June 16. UL is looking to work with VA on identifying those vulnerabilities in medical device software once the products are manufactured and provide a baseline cybersecurity hygiene platform.

The health care sector has been especially vulnerable to cyber attacks, in part because of applications like telemedicine and the use of connected devices. Part of the problem is that medical devices are durable by design, and can remain in use long after their underlying software goes out of support. Additionally, many were designed long before the cybersecurity threat facing institutions became so pronounced. And health records have proven to be especially attractive to identity thieves. Just this year, at least two major medical systems suffered ransomware attacks. 

"We really need to look at healthcare as part of our critical infrastructure," Fernando urged, stressing the importance of having "robust defenses in place" in order to protect systems from cyberattacks.

UL looks at the malware in products to determine what steps need to be taken in order for the medical devices to be effective and efficient for an agency like VA.

Last year, VA reported that the number of infected medical devices had decreased over time. But, since the agency still uses majority of legacy systems that have outdated software updates, there is no "silver bullet to flip the switch" on cybersecurity, Fernando said.  

The VA is not alone on this; DOD officials are attempting to establish security standards for buying medical devices as well. Richard Hale, DOD's deputy CIO for cybersecurity, has said that that it will take time to develop standards and it will be "painful for a while."

UL plans to wrap up the project with the VA by December of this year, and create a roadmap for the future on how to best move forward. 

About the Author

Aisha Chowdhry is a former staff writer for FCW.


  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.