As some manufacturers pivot to making in-demand medical supplies, devices and equipment, they face new cyber security challenges. Hackers stand ready to exploit any vulnerability. To succeed in the medical sector, manufacturers need to look closely at risks, adopt additional best practices and consider working with a trusted advisor already working in medical arena.
Although manufacturers already deal with standards and best practices, medical manufacturing presents more regulations.
“With medical device manufacturing, there are good manufacturing practices that regulators apply just as they do to finished products,” said Anura Fernando, chief innovation architect for medical systems interoperability safety and security at UL Life and Health Sciences. “The software and the platforms used will also be regulated. In the medical device world, the software has to be validated the same way as the medical device. That’s new for people transitioning into the medical sector from other sectors.”
Sending ideas and designs to new customers and vendors opens another vulnerability, said Akin Akinbosoye, director of cybersecurity at the public-private partnership MxD.
“The exchange of supply chain information typically is where some of the security challenges come in that people don’t think about,” he said. “In some cases, that file is directly loaded to a machine. That ends up being a vulnerability people have to think about.”
In general, manufacturing has not been recognized as a leader in cybersecurity, Fernando said.
“From a forest perspective, manufacturing has been one of the lesser-recognized domains for cybersecurity,” he said. “Manufacturing is more behind the scenes. It’s human nature to think about things that are right in front of you instead of the things that are behind the scenes. But attackers are used to thinking not about the thing right in front of their face but what’s behind the scenes that might be vulnerable. When hackers are looking to exploit the supply chain, they will target areas that are most vulnerable, like manufacturing.”
By moving into the medical sector, manufactures may be positioning themselves as an attractive target. The health care/ medical sector offers valuable information for hackers intending to gain financially or just create havoc.
“Healthcare infrastructure has assets that can be targeted by hackers with 10 times the value of the financial sector,” Fernando said.
Overall, the manufacturing sector overall is doing well in protecting data. But regarding production, there are vulnerabilities.
“In terms of how they relate to the security of data, manufacturers are probably as good as any other vertical,” said Ken Presti, research VP at Avant Research and Analytics. “Where they tend to fall off is, they don’t think so much about the security of their means of production. For example, they work toward robotics but they are not thinking about the security of those particular machines and devices as they should. Some of that thinking has to do with the fact that they haven’t been hit before. But the criminal element is looking at different ways of impacting companies, more than they used to.”
Often, manufacturers are using the same equipment they had in play before widespread internet adoption. No internet connection equals no perceived cyber risk.
More than 90 percent of manufacturers in the U.S. are small to medium-sized with some more connected and dependent on internet technology and third-party services than others, said Wayne Austad, technical director, Cybercore Integration Center, at Idaho National Laboratory. By default, the smaller size of an operation can create a level of resilience by default.
For example, a small manufacturer with a single product line, a minimal amount of connected equipment and a trusted set of suppliers isn’t likely to have the same level of cyber risk as a large manufacturer with multiple product lines, lots of connected equipment and suppliers that change frequently, he said.
“Traditionally, manufacturers have been late to adopt technology,” MxD’s Akinbosoye said. “One reason is cost. If I have expensive equipment, even it’s 40 years old, and it’s still producing what I need produced, why change it? You can’t try to secure what you don’t have.”
Most manufacturers moving to the medical sector aren’t so much making a pivot as they are making a sidestep. But these new applications may be much more regulated and also more vulnerable to hackers.
“Most of them are looking at moving toward areas at least tangentially related to what they’re already doing,” Presti said. “If you’re already building machinery, maybe you can do something along the lines of a respirator. Another example is someone in textiles moving toward making masks.”
Problems and risks arise as factories begin adopting new technology and exploiting the capabilities of existing technology—either to improve production of their existing line or to move into a new sector, such as medical.
“Some manufacturers don’t understand those technologies in terms of their capabilities and the potential of connectivity for these devices,” Akinbosoye said. “They believe their equipment is immune to cyber attack. They don’t realize what features exist. They just make limited use of those features to produce what they need to produce. Then they start to discover additional capabilities that they didn’t know existed: ‘I can connect this device to a computer or I can send instructions of CAD drawings from my computer to the equipment that I’ve owed for 20 years’.”
Medical products that have the potential for connectivity during use pose another cybersecurity concern, he said.
“Depending on the particular use case and what that particular product is intended to serve, part of the features of the product could be connectivity for whatever reason,” Akinbosoye said. “If this is a space the manufacturer hasn’t operated in before, it calls into question if they even know some of the associated risks in producing a product that potentially gives hackers a new way of interacting with customers, unknown to customers.”
Newly discovered or newly deployed connections open manufacturers up to risk. Best case scenario, they realize that risk at the same time.
“When they begin to make increased use of the capability of their equipment, that makes them aware of the increased attack surface that the equipment represents,” he said. “It leads to a shift in mindset. It becomes apparent to them that security needs to be part of the conversation moving forward. Manufacturers are playing catch up. As they march toward Industry 4.0, there’s a recognition that some of the capabilities represent benefits in terms of improved productivities. In the push to take advantage of those benefits, you have to secure that equipment.”
Organizations often focus on protecting a single resource that they regard as most valuable or critical, according to The 6-12 Security Report by Avant Analytics, released in March.
Protecting a single point failure is important.
“You need to understand your most critical functions that would stop your line or put your business in danger,” Austad said. “If this particular machine is really important to producing this product or to your business viability, you should spend extra time monitoring that machine and be extra careful about cyber hygiene related to that machine. There’s a lot you can do with firewalls, monitoring and focusing on what is most important.”
But keep in mind there may be more than one way to reach that critical resource.
“They lose sight of the fact that the attackers merely need to access a vulnerable machine that has access to that critical resource, sometimes via multiple hops,” according to the Avant report. “Effective defense in this case requires a detailed look at how systems are connected.”
In addition to risks of cyber attacks, manufacturers moving to the medical sector must adhere to Food and Drug Administration (FDA) compliance rules.
“Look at the FDA guidance,” Fernando said. The FDA has guidelines for software used to make medical devices, as well as pre-market and post-market guidance on cybersecurity, he said.
“In general, when people have challenges when they enter new domains is looking at quality and interdependence,” Akinbosoye said. “The regulations are intended to create quality checklists. If you concentrate on the end function and quality, you’re going to help yourself through the compliance legalities.”
Take time to determine the most critical parts of the process and all the ways that failure can occur, he said.
No matter how urgent the need, this is not the time to rush.
“Spend time upfront on design, critical functions and critical interdependencies,” Austad said. “Design, implement and operate. Too often, because of market pressures, people may try to go into rapid implementation mode or think they can tweak existing operations. It doesn’t have to drag out for weeks or months. But that up-front thinking time is important.”
Find a trusted advisor, an agent or an integrator who is already in the field to help make the transition, Presti advised. “You need to work with someone who has experience in that particular technology, someone who knows how to leverage IT to what you’re trying to do.”
Overall, “the same level of rigor applied in quality control around the product and product software also needs to be applied to cybersecurity,” Fernando said.