Medical devices supply chains 'facing cybersecurity storm'

Supply chain cybersecurity vulnerabilities are hitting medical-device manufacturers, as they add ever-more suppliers in order to mitigate disruption

Stockpiling components to bypass supply disruptions is leaving companies’ supply chains open to cyber attack, a leading cybersecurity expert says - with medical-device manufacturing being especially vulnerable.

With supply disruption still widespread, many businesses are pre-ordering far more than they would typically store in normal times. Such over-ordering is driving many to seek alternative suppliers who can produce steady supplies. 

But when trusted and vetted suppliers are rapidly replaced, the risk of cyber threats and vulnerabilities significantly increases.

Guy Gilam is Head of Product Marketing at value chain cybersecurity specialist, Cybellum. He says that medical-device manufacturers are especially prone to supplier-bloat “because on-time production and delivery can be a question of life or death”.

Medical device supply chain a cyber risk

“Supply chain is already the weakest link in any organisation, even at the best of times,” says Gilam. “But for complex medical devices, where there is a multi-layered supply chain of hardware and software vendors? For them, changing suppliers, or adding to them, significantly increases the exposure to risk.”

He continues: “When a new supplier is onboarded, there is still trust to be built. With no previously existing relationship, there is an increased need for caution, especially when vetting the quality of the supplier’s products.” 

Gilam says that, in the US, companies must monitor suppliers for software vulnerabilities in order to meet strict Food and Drug Administration requirements for medical devices.

But the problem they face, he reveals, is that any time code is developed, or integrated from an open-source library, there is a possibility of an undiscovered flaw. 

“It’s critical organisations ensure components do not come with inherent vulnerabilities,” Gilam says. “Assessing this early in the development process is essential for secure product development, and for mitigating risk and minimising damage.”

He explains that one problem faced by supply chains is that today’s software “is not so much written, assembled”, and that this is why leveraging commercial and open-source software to create device functionality can also introduce potential vulnerabilities. 

Such software challenges are part of the reason that, back in May 2021, the Biden administration passed an executive order to improve the nation’s cybersecurity

Cyber-vet all suppliers, medical firms urged

Gilam’s advice to businesses looking for new suppliers is to first “validate their technology from a security point of view”. 

“You also have to track the results of this in order to identify reliable suppliers, and those who may be delivering faulty or vulnerable products,” he adds.

But this, he says, is easier said than done: “Verifying supplier components and product software is not easy. In many cases the source code isn’t readily available, and so visibility has to be attained through other routes, such as binary analysis that isn’t reliant on having the source code available.”

Whatever the difficulties, Gilam stresses that there is far too much at stake to trust any supplier when it comes to medical devices. 

“Do due diligence on every solution,” he says. “Having an assessment process will allow your organisation to combat the challenges of sourcing new suppliers without sacrificing security.”

 

Share

Featured Articles

Aniebo Etudor from Baker Hughes to speak at P&SC LIVE Dubai

Aniebo Etudor, Executive Director of Supply Chain Operations at Baker Hughes, is set to appear at Procurement & Supply Chain LIVE Dubai

She is PepsiCo Celebrates the Best of Women in Supply Chain

PepsiCo is celebrating the work and success of women working across supply chain, procurement and manufacturing through its She is PepsiCo initiative

DHL Unveils Global Connectedness Report for 2024

DHL's report reveals globalisation reached a record high in 2022 and remained close to that level in 2023, despite a series of global shocks

Alberto Medina, Founder of Telescope at P&SC LIVE Singapore

Digital Supply Chain

Panasonic Connect: Using AI to Solve Logistics Challenges

Logistics

Sphera: The Top Risks Impacting Global Supply Chains

Supply Chain Risk Management