Advanced and smart technologies deployed in medical product manufacturing needs to have cybersecurity embedded, says the Food and Drug Administration (FDA).
According to a white paper published by the organization, manufacturing equipment that is commercially available rarely meets national or international standards for cybersecurity. Oftentimes, manufacturing infrastructure involves several connected devices or Operational Technologies (OT), which historically prioritizes functionality over cybersecurity. In the paper, the FDA calls for a balance between functionality and cybersecurity.
Below, security leaders share their insights.
Security Leaders Weigh In
Ms. Nivedita Murthy, Senior Staff Consultant at Black Duck:
Hardware devices in general are tricky to embed security in but not as complex. However, with medical devices the biggest challenge has been that the underlying devices and components included still use legacy ports and protocols to establish connections. These connections are usually unencrypted or allow users access to manipulate information. A lot of these devices communicate with each other using the old protocols and to upgrade one component you need to ensure all others are upgraded to the latest secure protocol. To understand the size of this problem one just needs generate a hardware bill of materials of all components used in a medical device and look into the details on how varied it is in terms of producers and age.
With rapid advancement in digitalization including the medical industry, vendors need to remember that the old software world is gone, giving way to the new set of truths defined by AI and global software regulations. As an industry, there is a need to unleash innovation by defining new ways to manufacture these devices keeping in mind security and technological advancements in the era of accelerating risk. Adhering to some of the standard network security best practices as also required in FIPS standards would help a long way in advancing and improving the security posture in this field.
Mr. Agnidipta Sarkar, Chief Evangelist at ColorTokens:
The first notable FDA guidance related to cybersecurity in medical devices was released in January, 2005. The regulation has evolved over time and has rightfully focused on building cybersecurity, considering that the number of attacks continues to rise, irrespective of increased investments. However, years later, not many have clearly understood that the regulation requires a cybersecurity-by-design, and not just an expensive machine. The regulation expects enterprises to establish visibility, control unnecessary traffic, and ensure lateral movement between zones is controlled. Today, this is essential and urgent. There needs to be a clear focus on designing cybersecurity for medical devices in a manner that focuses upon breach readiness by focusing on the effect of a cyberattack on the priority of saving lives by protecting critical assets and their communications.
Nathaniel Jones, Vice President of Threat Research at Darktrace:
As OT becomes more integrated with IT systems, it presents more opportunities for attackers. OT security is strongest when supported by robust IT security, requiring coordination between IT and OT teams to defend the entire network. By adopting good cyber hygiene, proactively securing your digital estate, and addressing any vulnerabilities before they can be exploited, organizations will be much better equipped to defend their networks against increasingly opportunistic threat actors.
John Gallagher, Vice President at Viakoo:
Clearly the shift by malicious hackers to target IoT/OT devices has brought new requirements to the lines of business, such as manufacturing, healthcare, physical security, facilities, etc., that are responsible for managing and securing such devices. Compared to traditional manufacturing or physical security workers, employers will pay a premium in these departments in their race to secure their non-IT devices. As threats become more cyber-physical in their impact, faster incident response and forensics will drive employers to recruit security professionals who can operate outside of the traditional IT space.
