Medical Device Supply Chain Cybersecurity
Medical Device Manufacturers (MDM's) have a Responsibility to Mitigate Cyber Risk
According to the Food & Drug Administration (FDA) Medical device manufacturers (MDMs) and health care delivery organizations (HDOs) should take steps to ensure appropriate safeguards are in place for mitigating cyber risk.
Background
The FDA has published general guidance for supply chain organizations in the medical device market. There are responsibilities for vigilance in identifying risks and hazards associated with the medical devices including risks related to cybersecurity. In addition, Medical Device Manufacturers (MDM's) are responsible for putting appropriate mitigations in place to address patient risks and ensure proper device performance.
The list of guidance includes several white, papers, publications and regulatory guidelines for the MDM's to develop their device and cyber programs. These include, Playbook for threat modeling, Best practices for communicating Cybersecurity Vulnerabilities, NIST guidance on pre and post management of cyber security incidents, and strengthening Cybersecurity Practices. In addition to the FDA, the Healthcare Supply Chain Association (HSCA) published additional guidance and contract language for Manufacturers and Healthcare Delivery Organizations (HDO's).
Challenge
A MDM should develop a comprehensive Cybersecurity Program for their organization that enables cybersecurity best practices throughout the corporate function and development of products. The topics below as described in the HSCA publication are very standard practices that any manufacturing company should follow.
- Compliance with FDA guidance relative to Cybersecurity Risks
- Products should be free of known malware or other vulnerabilities
- MDM's should comply with all reasonable security practices for network and device security guidelines and best practices: FISMA, ISO, SANS, NIST
- MDM's should be able to resolve cybersecurity threats and vulnerabilities in a timely manner
- MDM's should follow Cybersecurity best practices such as ISO 27001, SOC II or NIST.
- Follow Vulnerability scoring standards and process to address both vulnerabilities and threats
- Apply security processes for access control, encryption and cybersecurity monitoring
Solution
Cytellix® has developed the only solution in the industry that can assess, identify and detect "known" and “unknown” threats in any environment, while providing complete threat, vulnerability and regulatory compliance visibility in real-time.
The Cytellix® Cyber Watch Portal (C-CWP™) was specifically designed to support supply chain organizations who have both regulatory obligations for cybersecurity and overall cyber threat, vulnerability and reporting obligations. Our multi-frameworks support for all standards based Cybersecurity including ISO, NIST, PCI, SOC II prepares MDM's to meet the obligations in cost effective and low friction process.
In case where a supply chain needs to be managed from a cybersecurity, compliance and vulnerability perspective, the C-CWP™ option to add our patented Cytellix® Executive Cyber Watch Portal (E-CWP) that enables complete visibility of the supply chain in a single pane of glass is a solution that is invaluable.
Advantages
By combining proactive compliance and risk management, situational awareness, threat detection, vulnerability management and incident response Cytellix® safeguards the entire organization.
Other key advantages include:
- Compliance with FDA guidance relative to Cybersecurity Risks (C-GRC™)
- Turnkey endpoint detection and response solution (C-EDR™)
- Security framework-based assessments, monitoring and reporting capabilities (NIST, ISO, PCI, GDPR, PCI, SEC, FDA)
- Real-time vulnerability management, industry standard scoring, reporting and Workflow
- 24x7x365 monitoring of threats and response solutions
- Guidance and best practices for security solution implementations - MFA, Encryption, Access Control
