The White House has recently issued alerts noting that many manufacturers suffer from disrupted supply chains, and rebuilding supply chains is a major priority. Some analysts are suggesting that many months, and perhaps years are likely to transpire before the chaos subsides.
Medical devices manufacturers are not excluded from this disruption. But pausing production until the supply chain is back entirely is not an option. Businesses need to keep production flowing, and that requires finding new suppliers. However, new and potentially less vetted suppliers bring with them new risks and the potential of introducing vulnerabilities and threats into the product or device lifecycle.
The weakest link
As recently reported in the financial press, many major healthcare manufacturers including Phillips and GE Healthcare are suffering from supply chain challenges. The delay of supplies has impacted their ability to meet production expectations for quantity and timelines. Failing to meet these expectations has impacted their bottom line, with noticeable fourth-quarter losses for these organizations.
Failure to deliver
In many cases, the supply line is backed up, due to delays in production or shipping. Even if the components are produced, they cannot promptly make their way to the next steps in the production line. This leads to companies having to pre-order far more components than they would typically store at any given time, to create a stockpile, and ensure their production chain is consistent.
This need for stockpiling or over-ordering, are driving many to seek alternative suppliers who can produce steady supplies. With new suppliers comes the added risk of new, untested components and the potential for new vulnerabilities.
This is where the challenges grow exponentially. When trusted and vetted suppliers are rapidly replaced or augmented, the risk significantly increases of cyber threats and vulnerabilities entering into the product or device lifecycle.
Supply chain issues are already one of the weakest links for an organization, even in the best of times. The challenges are not just in how they impact production capabilities, but also in how they affect the security of the final product. For any complex medical device, many layers of suppliers that provide hardware and software exist. The manufacturer who assembles these components into a final product has limited control and visibility of what’s in the various components or software, creating a huge risk for the final product and to its users. Changing suppliers only serves to increase their risk posture.
Vetting new suppliers
Sometimes the only way to circumvent a shortage is to find a different supplier to meet the requirements. This is especially important for medical devices where on-time production and delivery can be a question of life or death.
When a new supplier is onboarded, there is still trust to be built. With no previously existing relationship, there is an increased need for caution, especially when vetting the quality of the supplier’s products. It is imperative at this point to monitor for software vulnerabilities, which is vital for product security. This is the first step because in order to meet the strict FDA requirements for medical devices, it is critical to ensure that the components interoperate, are fault-tolerant, and do not come with any inherent vulnerabilities.
Vulnerabilities in code
Anytime code is developed or integrated from an open-source library, there is a possibility of an undiscovered flaw. Any device containing software can have errors in it or in the software libraries it utilizes. Assessing this early in the development process is essential for secure product development and for uncovering vulnerabilities as early as possible, to mitigate risk and minimize damage.
Today, software is more assembled than written, leveraging commercial and open-source software to create the core of the device functionality. These components, while expediting build time, also introduce potential vulnerabilities. For example, until recently the Log4j libraries were considered industry standards and safe open-source additions for logging functionality. In December 2021, these libraries were identified as having a remote code execution (RCE) vulnerability that received the maximum possible CVSS score of 10.0. On discovery, organizations worldwide scrambled to patch and contain this vulnerability before attackers could take advantage of it.
Commercial software is also not exempt from similar high-impact vulnerabilities. The Ripple20 library was also considered a relatively safe and industry-standard software component. Discovery of its vulnerable status left numerous devices open to attack.
The challenges with software components are part of what led to President Biden’s Executive Order to help improve software supply chain security through transparency. This order states that Software Bill of Materials (SBOMs) should be available to manufacturers, vendors, and consumers. The SBOM should contain criteria based on the National Telecommunications and Information Administration (NTIA) minimum elements, which include in-depth information about the software components, their versions and dependencies. With this information, organizations can track existing vulnerabilities and new vulnerabilities as they emerge.
Trust but verify
One of the first steps to be taken with a new supplier is to validate their technology from a security point of view. Tracking the results of this effort is critical to identify reliable suppliers and those who may be delivering faulty or vulnerable products. However, verifying the security posture of supplier components and product software is not easy. The source code isn’t readily available in many cases, so visibility has to be attained through other routes, such as binary analysis that isn’t reliant on having the source code available.
Not every vulnerability assessment tool can deliver accurate results. A reliable solution needs to understand the potential scope and accessibility of vulnerabilities discovered. This information will help to narrow down whether the vulnerability applies to your product. Using validation and testing tools to assess compiled code, is vital for guaranteeing a product’s security that does not provide direct code visibility.
There is too much at stake to trust the supplier when it comes to medical devices. It is crucial to make sure your due diligence is performed with the right solution. Implementing a complete assessment process with the right platform will allow your organization to combat the challenges of new suppliers without sacrificing security.