A primary goal of companies producing complex instruments is to reduce the cost of manufacturing their products, without compromising quality.
Step-change cost reductions
Time to market with adequate quality is the primary focus of companies launching first-of-kind products. Once established and growing in the market, the focus may shift to adding customer valued features and reducing cost. A major focus for companies with fast following next-generation designs is reliability and functionality. At the same time, the contract manufacturing (CM) design team can apply value engineering and design-for-manufacturing analysis to provide additional cost reductions that can be integrated seamlessly with the product’s new feature.
Incremental cost reductions
Incremental cost reductions are generally achieved by having a CM partner who routinely reviews the bill of materials (BOM) using its experience to identify parts that could be:
Sourced through lower cost supply chains
Re-designed to continuously reduce the manufacturing costs. This approach requires a contract manufacturer that is not just motivated to identify cost reduction opportunities, but is technically capable to assess and implement cost reduction changes. It is also beneficial for the product company to be proactive in supporting product modifications and provide incentives that share the benefits.
I recommend that the manufacturer take the following steps:
Do not install anti-virus software. Dramatic as this may sound, the likelihood of a malicious executable targeting the CPU architecture and operating system of this instrument is extremely low. But if clients do request anti-virus software (perhaps for marketing reasons), engage security experts to develop it, as commercial products for this architecture are not readily available.
Install a software firewall for the TCP/IP stacks provided by the Wi-Fi and Ethernet access points. Only the TCP and UDP ports necessary for communication with the manufacturer’s cloud-based information system will be open.
Only connect the instrument to Wi-Fi networks that are securely encrypted. We strongly recommend that end-users use the Ethernet connection during installation wizard.
Remove all non-essential Linux tools and programs (for example, bash shell and telnet) from the deployed root file system.
Run the application software in user mode limiting access to system functions.
Give each instrument a unique root user password, which is automatically generated during manufacturing and recorded only on the manufacturer’s internal network.
The only encryption keys to be stored on the instrument are public keys that are part of a public–private pair (such as RSA). In the unlikely event of a security breach, the attacker gains no valuable information.
The actions listed here are general in nature and can simply be considered good security practice. In reality, you would implement significantly more mitigations, including activities specifically designed to protect the manufacturer’s intellectual property.
Vigilance brings security
The analysis undertaken during the initial design and manufacture of a diagnostic device is only the first step in the process of maintaining security. Once you have decided on which mitigations that your system will use, you need to analyze new threats to see whether they can be fully neutralized by these mitigations.
Many different factors can highlight the need for a threat analysis. These might be external (such as new vulnerabilities and capabilities, operating system patches) or internal factors (such as a device software update or patch). As a manufacturer of diagnostic devices, you are responsible for ensuring that threat analysis is performed continually and thoroughly.
No IT system is ever 100 percent secure. But producers of diagnostic devices are responsible for the way their products operate within a larger ecosystem.
By working collaboratively with an instrument development partner who is experienced in designing and implementing cybersecurity measures for a range of medical and other devices, you can have increased confidence that your device will be safe and reliable in protecting patients’ lives.