FDA Urges Medical Device Manufacturers to Improve OT Security
The U.S. Food and Drug Administration (FDA) is urging medical device manufacturers to ensure the security of connected operational technologies due to the increasing threat to manufacturing supply chains.
Financially motivated threat actors and nation-state hacking groups are targeting supply chains, and ransomware attacks on hospitals, medical clinics, and critical infrastructure have become more pervasive in recent years. Attacks on manufacturers and supply chains pose a significant threat and could result in harm to patients, medical advancement, and public health security.
The FDA has previously focused on the cybersecurity of medical devices and now considers cybersecurity in premarket submissions for medical devices to ensure the devices can be secured for the entire product lifecycle. Now the FDA is warning medical device manufacturers that their manufacturing infrastructure can be particularly vulnerable to cyberattacks, especially due to the proliferation of connected devices, Industrial Internet of Things (IIoT) and smart technologies.
Operational technologies have historically prioritized consistent functionality rather than cybersecurity, which can leave systems vulnerable to cyberattacks. Device manufacturers may have a lack of visibility of systems and devices and be unaware of third-party components embedded within other equipment, which can easily result in vulnerabilities remaining unaddressed.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The FDA’s white paper – Securing Technology and Equipment (Operational Technology) Used for Medical Product Manufacturing – has been published to help medical device manufacturers improve the security of their operational technology and harden their defenses against hacking. The white paper is not an official guidance document, it is not legally binding, and there have been no regulatory changes, but it does offer recommendations for improving the security of manufacturing operational technology.
The FDA recommends improving visibility of all systems, as only when all devices are understood can they be effectively secured. “Once all devices are fully understood, they can be logically arranged on the network to maximize infrastructure security. Implementing zone and conduit architecture with three tiers (presentation, application, and data) greatly improves network security and overall network performance compared to a flat network where all devices share the same bandwidth,” the FDA said in the white paper.
The FDA has created a case study for a digitally integrated manufacturing system based on its manufacturing and cybersecurity expertise, following National Institute of Standards and Technology (NIST) Federal Information Product Standards (FIPS), Cybersecurity & Infrastructure Security Agency (CISA) guidelines, and strict network routing requirements. The FDA recommends following these standards and guidelines, and warns that many commercial off-the-shelf products do not comply with these standards in their default settings and often need reconfiguration to eliminate native cybersecurity vulnerabilities.
The white paper focuses on three categories: technical information exchange, security standards and compliance, and security by design, and aims to help medical device manufacturers strike the right balance between creating an easy-to-use and functional operating environment and protecting against as many threats as possible.
