Endpoint Security,
Governance & Risk Management,
Healthcare
Agency Warns: Manufacturing Supply Chains and Patient Safety Under Increasing Threat
In a significant move, the Food and Drug Administration (FDA) is compelling all medical product manufacturers to sharpen their focus on the cybersecurity of connected operational technologies, particularly concerning advanced devices integral to their manufacturing and supply chains. This shift comes after extended advocacy for improved cybersecurity among medical device creators.
The FDA has observed that manufacturing infrastructures are ever more susceptible to ransomware and other cyberattacks, driven by the proliferation of the Industrial Internet of Things (IIoT) and smart technologies. In a recently published white paper titled, “Securing Technology and Equipment – Operational Technology – Used for Medical Product Manufacturing,” the FDA articulated these growing concerns.
The report highlights that connected operational technologies were historically designed for consistent functionality, often at the expense of robust cybersecurity measures. As a result, discerning the timing and nature of communications within these systems can pose challenges, elevating the likelihood of cyber incidents. As threats escalate, the agency warns that attacks targeting manufacturing and supply chains hold the potential for severe repercussions on patient safety, medical innovation, and public health.
While the FDA’s white paper does not constitute formal guidance or regulatory changes, it advises manufacturers to focus on three core areas for enhancing operational technology security: the exchange of technical information, adherence to security standards and compliance, and integrating security into design processes. The FDA emphasizes the importance of visibility in securing industrial networks, where hardware modules can often be obscured within existing equipment, making them harder for end users to identify.
The report suggests that achieving a comprehensive understanding of device connections is critical for enhancing network security. By implementing zoned architectures that categorize devices into presentation, application, and data layers, manufacturers can significantly improve their infrastructure’s security posture compared to conventional flat networks.
The FDA recommends that manufacturers adopt information technology policies aligned with standards set forth by the National Institute of Standards and Technology (NIST) and the Cybersecurity Infrastructure Security Agency (CISA), establishing stringent network routing protocols. However, many off-the-shelf products may not meet these security parameters without significant reconfiguration, which could lead to inherent vulnerabilities in operational technology setups.
Experts have noted that the FDA’s newfound urgency surrounding operational technologies mirrors the broader landscape of rising cyberthreats. John Gallagher, vice president at Viakoo, remarked that the shift of malicious actors toward IoT and operational technologies necessitates that manufacturing, healthcare, and security sectors adapt their strategies accordingly.
Moreover, the FDA’s vigilance regarding operational technologies reflects a decade-long commitment to enhancing medical device cybersecurity, which includes issuing multiple guidance documents. Most notably, legislation passed in December 2022 expanded the FDA’s regulatory authority over medical device cybersecurity, empowering the agency to reject premarket submissions for devices lacking sufficient cybersecurity details, such as a software bill of materials.
