Endpoint Security
,
Governance & Risk Management
,
Healthcare
Agency: Rising Threats Put Manufacturing Supply Chains, Patient Safety at Risk
After years of pushing medical device makers to address the cybersecurity of their products, the Food and Drug Administration is now urging all medical product makers to carefully consider the security of their connected operational technologies, including their advanced and “smart” devices used in their manufacturing and supply chains.
See Also: Gartner Report | Magic Quadrant for SD-WAN
Manufacturing infrastructures are vulnerable to ransomware and other cyberattacks as the industrial internet of things and smart technologies are becoming ubiquitous, the FDA said in a newly released white paper, “Securing Technology and Equipment – Operational Technology – Used for Medical Product Manufacturing.”
But these connected operational technologies “have historically been designed to prioritize consistent functionality over cybersecurity,” the FDA said.
“Consequently, it is sometimes difficult to tell what, when and where communications are happening which has the potential to increase the risk of a cybersecurity incident,” the FDA said. As cyberthreats rise, “manufacturing and supply chain attacks have the potential for even greater harm to patients, medical advancement and public health security,” the FDA said.
While not a formal FDA guidance document or a new regulatory mandate, the agency’s white paper recommends advises medical product manufacturers to consider three main issues in OT security – technical information exchange, security standards and compliance, and security by design.
“To secure an industrial network, it is important to obtain visibility. Some connected hardware modules are embedded within other equipment and may be hidden from the end user,” the FDA said.
“Once all devices are fully understood, they can be logically arranged on the network to maximize infrastructure security. Implementing zone and conduit architecture with three tiers – presentation, application and data – greatly improves network security and overall network performance compared to a flat network where all devices share the same bandwidth,” the FDA said.
The FDA urges medical product manufacturers to implement IT policies, practices and procedures that follow standards and guidelines recommended by National Institute of Standards and Technology’s Federal Information Product Standards and the Cybersecurity Infrastructure Security Agency, and “strict” network routing requirements.
“Unfortunately, many commercial off-the-shelf products may not natively comply with these security requirements and may need reconfiguration. Until these guidelines are industry standard practice, considerable vulnerabilities may be inherent in many OT configurations.”
The FDA’s urging for medical product manufacturers to enhance their efforts around OT used in their operations is not surprising considering the heightened cyberthreat landscape, some experts said.
“Clearly the shift by malicious hackers to target IoT/OT devices has brought new requirements to the lines of business, such as manufacturing, healthcare, physical security and other facilities, that are responsible for managing and securing such devices,” said John Gallagher, vice president at Viakoo, an provider of automated IoT cyber solutions.
The FDA white paper “has started to bring some valuable concepts from NIST and zero trust frameworks into the medical products supply chain, which will help strengthen their resilience to cyberthreats,” said James Maude, field CTO at security firm BeyondTrust.
But he cautioned, “It is important to recognize that security is a journey not a destination and we should be wary of products seeing any recommendations as a target or check box exercise rather than a bare minimum when it comes to security.”
The FDA’s heightened attention on the OT used by medical product makers follows the agency’s increasing scrutiny over the last decade on medical device cybersecurity. That includes issuing several non-binding guidance documents over the last 10 years containing cybersecurity recommendations for medical devices makers in their product pre-market and post-market.
But perhaps most significantly, an omnibus funding bill signed into law in December 2022 granted the FDA greater regulatory authority over medical device cybersecurity. The expanded authority includes enabling the FDA to apply its “refuse to accept” policy to immediately reject premarket submissions for new devices due to a lack of cybersecurity details, including a software bill of materials (see: Inside Look: FDA’s Cyber Review Process for Medical Devices).
Feds to Push Wearable Health Devices
Meanwhile, on the other end of the health device spectrum, U.S. Department of Health and Human Services’ Secretary Robert F. Kennedy told a Congressional committee during a budget hearing on Tuesday that HHS plans to soon launch “one of the biggest advertising campaigns in HHS history” to encourage consumers to use wearable health and fitness devices.
“We think wearables are key to the MAHA agenda of Making Americans Healthy Again. My vision is that every American is wearing a wearable within four years,” he told the committee.
“It’s a way for people to take control of their own health. They can take responsibility. They can see what foods are doing to their glucose levels, their heart rates and other metrics as they eat it and they can begin to make good judgments about their diet, physical activity and the way that they live their lives,” he told the committee.
