FDA warns of public health risks from lax cybersecurity in medical product manufacturing, calls for stronger standards

The U.S. Food and Drug Administration (FDA) has released a white paper emphasizing the need to embed cybersecurity into the advanced and smart technologies used in medical product manufacturing. Modern manufacturing environments rely on a growing number of connected devices, known as operational technologies (OT), which were traditionally built for reliability rather than security. As a result, it can be difficult to determine what network communications are happening, when they occur, and where they originate, making it harder to detect and respond to cyber threats.

Commercially available manufacturing equipment often does not meet national or international cybersecurity standards by default. This shortfall demands deliberate system design and configuration. Incorporating cybersecurity into standard industry practices, regardless of company size, will significantly reduce risks to the U.S. medical product manufacturing sector and its supply chain.

In its ‘Securing Technology and Equipment (Operational Technology) Used for Medical Product Manufacturing,’ white paper, the FDA identifies that there is a balance to be struck between creating an operational environment that is easy to use and one that secures operations against as many threats as possible. The white paper outlines key considerations across three categories, including technical information exchange, security standards and compliance, and security by design. These practices are drawn from referenced guidance and shaped by the FDA’s hands-on experience with industry collaboration and the deployment of non-manufacturing operational technologies. 

“Overemphasizing either security or ease of use can have serious ramifications to public health, patient access to care, availability of cutting-edge products, and pandemic preparedness,” it added. “Much like a quality assurance program, a strong cybersecurity process is one of the pillars that support the safe, effective, and reliable production of medical products.”

Data breaches and ransomware attacks on hospital systems and medical clinics have become more ubiquitous in the last few years, leading to significant efforts by HHS, other government departments, and the private sector to mitigate the damages and reduce the effectiveness of these attacks. As high-profile as these attacks are, manufacturing and supply chain attacks have the potential for even greater harm to patients, medical advancement, and public health security. FDA is developing policies, guidance, strategies, and regulatory science tools for OT security and supply chain resilience to meet its public health mission.

The FDA paper on medical product manufacturing identified that OT cybersecurity starts with awareness of the physical and digital landscape of each production line and the wider enterprise infrastructure. Manufacturing equipment, sensors, plumbing, and electrical systems that make up any production facility create the operational environment. Digital technologies and controls often connect to a larger building, facility, or corporate networks that allow remote oversight and operation of production. A comprehensive understanding of all these elements and their connections is integral to creating a secure OT environment.

Operations environments can include almost any industrial asset managed by industrial control systems (ICS), such as programmable logic controllers (PLCs), remote terminal units (RTUs), intelligent electronic devices (IEDs), and distributed control systems (DCSs). These devices often must work continuously for months or years in potentially harsh or severe conditions. 

Consequently, many OTs were designed to prioritize consistent functionality over cybersecurity and did not anticipate the constantly connected, internet accessible conditions of modern industry. As such, they are more vulnerable to modern cyber threats such as distributed denial-of-service (DDoS) or vulnerability exploits. Moreover, it is sometimes difficult to tell what, when, and where communications are happening.

Organizations attempting to secure their industrial networks often face two major challenges covering the lack of visibility and the lack of control. They often struggle to manage ICS and OT systems because they are embedded in larger networks, especially when using legacy technologies with complex communication requirements. This leads to a lack of visibility into what devices are on the network and how they interact, making it difficult to assess risk and implement effective security measures. Additionally, many devices initiate undisclosed or unchangeable connections, further reducing control. Without full knowledge of device communications, organizations cannot adequately secure their network environments.

The FDA followed cybersecurity expert recommendations, such as NIST Special Publications like Federal Information Product Standards (FIPS 140-2 and 140-3) and NIST SP 800-82, CISA guidelines, and strict network routing requirements are used to safeguard networks. In the short term, it can be easier and tempting to make exceptions or set permissive network rules. However, this would create an unacceptable long-term cybersecurity risk for government networks and, similarly, for medical product manufacturing facilities. 

The FDA white paper identified that many Commercial Off-the-Shelf (COTS) products may not natively comply with these security requirements and may require some reconfiguration to function. Even if it may not be current industry standard practice to comply with FIPS or similar security guidelines, the benefit of implementing them quickly and comprehensively can far outweigh short-term inconveniences. 

“Until these guidelines are considered industry standard practice, there may be considerable vulnerabilities inherent in many OT configurations,” it added. “The availability of security by default may change as industry demands security as a baseline for manufacturing excellence. Until then, FDA is using this recent experience as an opportunity to identify potential considerations, vulnerabilities, and risks that industry should be aware of when implementing and securing network-enabled and smart operational technologies.”

Covering technical information exchange, the FDA white paper identified that adopting connected and smart manufacturing systems often requires major equipment updates and integration of diverse hardware, software, and firmware from multiple vendors. Each component, including automated operations, sensors, and software, may incorporate various software packages, hardware versions, and firmware, many of which are not fully controlled by the main equipment vendor. This complexity makes it essential for integration teams to have detailed knowledge of all elements in use (e.g., via hardware and software bills of materials).

Special security considerations are needed for integration teams, especially temporary staff, including prompt removal of privileged access after deployment. Both vendors and manufacturer OT specialists need a thorough technical understanding of network traffic and compatibility with security standards before deployment starts. Proper alignment of software and infrastructure requirements can prevent conflicts and security gaps.

As manufacturing systems usually involve products from multiple vendors and sources, thoroughly mapping and understanding every OT component and its connections is vital. This approach enhances the deployment process and strengthens the overall security of the manufacturing network.

When it comes to security standards and compliance, the FDA noted that securing hardware and software is easier when clear, industry-wide standards and guidelines, such as FIPS, NIST SP-800, and IEC 62443, are followed. Federal agencies and other regulated organizations must comply with these standards, which provide a solid framework for protecting networks with connected OT systems. Although not all OT products come with built-in compliance, following these standards strengthens defense against cyber threats that can disrupt critical supply chains.

To ensure compliance, federal agencies require systems to undergo the Authorization to Operate (ATO) process, which involves security assessments, planning, and continuous monitoring. For cloud systems, the FedRAMP program ensures federal security requirements are met. 

The ATO process helps identify potential security impacts, compliance gaps, and necessary mitigation steps before systems become operational. Security scans and documentation reviews are used to uncover previously unknown risks, such as undocumented device communications. The findings from these assessments guide organizations and vendors in addressing vulnerabilities and achieving compliance.

Lastly, the FDA white paper emphasized security by design, highlighting the importance of building products, networks, and procedures with cybersecurity embedded from the start. Defining communication pathways and aligning with established standards streamlines deployment while strengthening overall security. Organizations, especially large ones with diverse needs, benefit from processes like change control boards (CCBs) to review shared resource changes and prevent unintended issues. As many critical services share resources, compromised OTs can create vulnerabilities, making it crucial for implementers to ensure all OTs meet current security standards.

If needed features are missing, businesses should request vendors to add required security capabilities and push for compliance with government or widely accepted standards. While this may seem burdensome, it reduces breach risks and reassures both customers and regulators. Creating an OT security plan requires understanding both cybersecurity practices and business needs to decide on appropriate protections. Federal systems demonstrate that adhering to FIPS, CISA guidance, and consensus standards enables secure and effective OT deployment.

The FDA had in 2023 published final guidance establishing new cybersecurity requirements for cyber devices, which includes information that a sponsor of a premarket submission for a cyber device must provide in its submission. The document also requires healthcare stakeholders to bring into their infrastructure cybersecurity provisions that cover software bill of materials (SBOM) and vulnerability disclosure reporting.