Cyber Resiliency In Medical Technology Supply Chains

Insights ▸ Articles ▸ Staying Resilient: Cyber Resiliency In Medical Technology Supply Chains

Wearable devices are becoming increasingly important in clinical settings and monitoring our day-to-day health and activity. Given the sensitivity of the data, the cyber resiliency of medical devices must be robust and account for various factors and settings that may impact the efficacy of security controls and data privacy. This is particularly important in the context of wearables, from smartwatches to continuous glucose monitors, that are reliant on proper use by the user for their software to remain up to date and for network security.

When discussing the cyber resiliency of medical technology, we must consider two crucial aspects: the level of security of the device and the level of security concerning the transferring, processing, and storing of the data produced. In both situations, third-party suppliers are likely involved. Given that these aspects are critical to protecting personal data, how they are built and work as an ecosystem must be closely examined for potential threats to resilience. Protecting these value chains is as difficult, possibly more so, as dealing with other ‘stand-alone’ issues. Despite the risks, many companies do not prioritise the cyber resiliency of their supply chains or operational ecosystem.

According to the Cyber Security Breaches Survey 2022, 13% of businesses assessed the risks posed by their immediate suppliers, with 7% reviewing the risks posed by their wider supply chain. This lack of visibility into third-party risks is concerning when fewer businesses control their supply chain in a way that might have been commonplace 30+ years ago - by owning every step. The fragmenting of the market into numerous smaller, specialist players have been notable and makes it more critical for companies to take supply chain resilience seriously.

THREE STEPS TO HELP BUILD A CYBER-RESILIENT SUPPLY CHAIN

Organisations must elevate their approach to cyber risks to avoid damage to their operation.

1. Define clear ownership - A dedicated team to evaluate and reduce third-party or supply chain risk tends to be more successful – ensuring visibility isn’t lost, and fewer potential weaknesses arise.

2. Prioritise suppliers - Consider risk exposure-based factors when prioritising suppliers, including:

The products or services they provide
Access to data
Which regulatory requirements apply
If they have direct connectivity to systems

Highlighting the mission-critical suppliers is a crucial step. Take a risk-led approach to your supply chain, ranking suppliers in terms of the impact it would have on the business if something went wrong and prioritising interrogating and building resilience around them first. Companies need to orchestrate an internal discovery process to assess which third-party products exist within their environment, how they are produced and identify what aspects of the business they support.

3. Think ahead - Examine whether current contractual clauses are fit for purpose for the risk environment, not only for current regulatory compliance. Partners also need to be sought out to help anticipate future risks. Onboarding specialists can do this with continuous third-party risk management services.

Accountability

From a resiliency point of view, the environment in which devices operate is a second major factor; for example, gadgets like "smart" hospital beds or radiology equipment function in a highly controlled medical environment. However, technologies such as continuous glucose monitors or smartwatches are used in largely unmonitored day-to-day settings. Context is essential when evaluating these devices' resiliency and determining where legislators should focus on regulation.

Given many outside factors can generate gaps in security or privacy, device manufacturers have pushed back against being wholly liable for the resilience of their products. This brings the question of who is accountable for the security of medical technology. Medical device manufacturers must ensure that their devices perform in a specific manner within certain prescribed use parameters. They then need to recommend the conditions under which the buyer can most securely use the device. By leading this way, clinicians, users and eventually regulators will demand minimum standards or implement them de facto.

This picture will become even more complex when developers integrate ML and AI deeper within these devices. The necessary increase in connectivity and data transfer between devices and edge or core systems will create more potential weak points. Whilst many are already cautious about medical data being pooled for the sake of analysis, research, and in time, personalised health recommendations, devices with ML and AI embedded in them are inevitable. We must implement systems to account for this instead of playing catch up. Resiliency can only be assured once those involved fully understand the risks. A vulnerable supply chain can cause a ripple effect of damages and disruptions. Therefore, clear strategies to protect the "crown jewels" of patient data and critical systems are needed. Failure means delays in adopting digital health, which embeds advanced medical devices, and worsening public-health outcomes as a result.

This article first appeared in Med-Tech Innovation News.

Abel Archundia

Abel is the Chief Technology Officer of ISTARI. Abel's previous roles include head of IT and Digital Transformation for Bayer Pharma Division since 2017 and member of the Bayer Group IT Board. Before joining Bayer, Abel was Global CIO, Sandoz, a Novartis Division (2012-17) and Head of IT for Novartis Technical Operations, looking after manufacturing, supply chain and quality. He was a member of the Novartis IT Board.

What to read next

Back to Articles

12.2023 . Articles

The Future of DevSecOps: Emerging Trends in 2024 and Beyond

In the rapidly evolving landscape of software development and cybersecurity, the integration of security planning earlier in the software development life cycle has become paramount.

BY JD Sherry

12.2023 . Articles

Transforming Cyber Risk Management in the Supply Chain

When the CL0P ransomware gang from Russia (also known as TA505) exploited a zero-day SQL injection vulnerability to hack Progress Software's MOVEit Transfer app, it soon became evident that a significant number of organisations and…

BY Murali Aiyer
Supply Chain Cyber Risk

12.2022 . Articles

How We Used AI To Write An Article For Our Blog

We recently used AI to create an article for our newsletter. How did we do it?

BY Dr. Manuel Hepfer