Securing Medical Device Supply Chains: Navigating Complex Manufacturing Environments

In March 2026, nation-state-backed attackers targeted the medical device manufacturer, Stryker, wiping and disrupting more than 200,000 systems, servers, and mobile devices across the organization. When an attack disrupts manufacturing timelines, organizations face a significant risk of customer churn. Hospital procurement teams are more likely to choose a competitor product than wait for the manufacturer to recover from an incident like this. Once the hospitals acquire and onboard these substitute devices, they are often more likely to continue to purchase from the manufacturer, creating a long-term relationship. 

Medical device manufacturers face more than just sensitive data risk. They face widespread outages that can impact manufacturing and logistics, which ultimately lead to customer churn and lost revenue. Ensuring business continuity requires maintaining visibility and control across complex, connected manufacturing environments that include traditional IT, operational technology (OT), and Internet of Things (IoT) devices. 

The Medical Device Manufacturing Attack Surface Continues to Expand

Medical device manufacturing environments have evolved, often combining legacy systems with modern infrastructures. Today, they contain a tightly interconnected mix of:

• Enterprise IT systems: Cloud platforms, identity services, and Software-as-a-Service (SaaS) business applications. 
• Operational technology: Industrial control systems (ICS) and SCADA systems.
• Connected devices: Embedded systems, testing equipment, and sensors for manufacturing floors. 

The convergence of IT, OT, and IoT often improves operational efficiency while expanding the attack surface. Problematically, traditional network scanning and device inventory tools often fail to identify OT and IoT devices. 

From Airgapped to Connected: The Network Segmentation Challenge

While network segmentation is a foundational security control, medical device manufacturers struggle to implement and maintain it across these complicated IT, OT, and IoT environments. Historically, organizations airgapped their OT networks, preventing any connectivity with the public internet or the organization’s enterprise IT networks. However, the IoT devices that improve manufacturing processes mean organizations can no longer create these strict separations between IT and OT. 

Medical device manufacturers must balance security with operational requirements, including:

• Continuous communication between IT and OT systems: Production environments rely on data exchange with enterprise systems for scheduling, quality management, updates, and reporting, requiring persistent connectivity.
• Connected devices that cannot support traditional security controls: Many embedded or specialized systems lack support for endpoint agents, modern authentication methods, and standard hardening practices, creating security coverage gaps.
• Legacy and vendor-managed equipment: Manufacturing environments often include long-lived assets or third-party systems that restrict or limit patching, configuration changes, or segmentation adjustments.
• Dynamic and difficult-to-maintain network boundaries: Operational exceptions accumulate over time, resulting in difficult-to-validate, partially validated environments.
• Operational constraints that prevent full isolation: Airgapping critical systems is often incompatible with real-time monitoring, remote access, software updates, and production efficiency requirements.

How Visibility Gaps Impact Detection, Response, and Recovery

Limited visibility into connected environments directly impacts how effectively and efficiently organizations detect, respond to, and recover from incidents.

Detection

Before a security team can identify abnormal or risky network activity, they need to know what normal looks like. Inaccurate device inventories can lead to monitoring gaps like:

• Unidentified anomalous behavior. 
• Unflagged unauthorized communications.
• Compromised systems blend in with legitimate activity. 

Without a clear baseline that defines acceptable communications, security teams have no way to identify potential threats. 

Response

During an active incident, responders need to quickly answer fundamental investigation questions like:

• What systems are affected?
• Which assets are critical to operations?
• What can be safely isolated?

Limited visibility increases the time responders spend trying to answer these questions, ultimately increasing an attack’s impact. With more time to explore networks, attackers can find critical assets and sensitive data. Slower response places more systems at risk, unintentionally increasing operational disruption. 

Recovery

Without visibility into all connected devices, organizations have no way to validate that their recovery processes adequately restore systems to a trusted state. 

In medical device manufacturing environments with hundreds or thousands of connected devices, the visibility gaps can lead to:

• Stalled recovery efforts: Inability to scope the problem or prioritize restoration. 
• Unclear dependencies: Time-consuming recovery related to upstream or adjacent systems. 
• Overly cautious restoration decisions: Difficulties isolating impacted systems and delays bringing systems back online while trying to avoid reintroducing risk. 
• Error-prone, manual processes: Validating systems individually without a clear baseline to judge recovery appropriately. 

Without a comprehensive, trustworthy inventory, organizations lack the behavioral context to distinguish between clean and potentially impacted devices. 

Best Practices for Strengthening Resilience

For medical device manufacturers, an extended disruption can lead to various consequences, including:

• Short term: Production delays, disrupted shipping and distribution, and supply chain interruptions. 
• Long term: Backlogs and operational inefficiencies, increased recovery and remediation costs, and internal resource strains.

In the medical device industry, product availability directly impacts an organization’s reputation and revenue. When hospitals are willing to find substitutes and stick with them, cyber resilience becomes a critical business requirement. 

To reduce a cyber incident’s impact, medical device manufacturers can focus on implementing the following best practices to improve visibility and control access across complex, connected environments. 

Establish Comprehensive Asset Visibility

To maintain an up-to-date, continuously validated inventory of all connected assets, organizations need a way to:

• Automatically discover and classify all connected devices, including unmanaged and agentless systems.
• Enrich asset inventory with contextual data, like device type, manufacturer, function, and risk profile.
• Continuously monitor for new, removed, or changed devices across the network.
• Identify unknown or unauthorized devices to reduce blind spots in the environment.
• Maintain a centralized, real-time system of record for all connected assets.

Implement and Validate Network Segmentation

When organizations implement network segmentation, they should consider targeted segmentation that groups devices based on their known acceptable communications and risk profiles. 

To continuously validate network policies, organizations should:

• Map device-to-device communication to understand real-world network interactions and uncover implicit dependencies.
• Identify unexpected or unauthorized communication paths across segments that may indicate overly permissive connectivity.
• Apply targeted segmentation strategies based on device behavior, risk level, and communication patterns.
• Document that critical systems are properly isolated from non-essential networks while accounting for operational exceptions.
• Detect policy drift or segmentation gaps introduced by evolving workflows, vendor configurations, or legacy connectivity requirements.
• Continuously monitor east-west traffic to confirm segmentation effectiveness and adjust boundaries as environments change over time.

Create Baselines for Normal Device Behavior

To identify abnormal behaviors, security teams need to understand typical communications and operations so that they can more rapidly identify and investigate potential incidents. In medical device manufacturing environments, this includes not only traditional IT traffic patterns but also OT and IoT-specific protocols that govern how industrial systems and connected devices exchange data.

When defining baselines, organizations should consider:

• Building behavioral baselines for device communication patterns that support protocol-aware visibility across OT/IoT environments, including major industrial protocols.
• Identifying deviations from normal behavior in both network traffic and protocol usage that may indicate compromise, misconfiguration, or unauthorized access.
• Correlating observed device behavior with known vulnerabilities, exposed services, and risk indicators tied to specific industrial or medical device protocols.
• Prioritizing high-risk or high-impact anomalies based on device criticality and their role within operational or manufacturing workflows.
• Informing incident response detection and recovery decisions with behavioral context, like protocol-specific norms and device communication roles.

Strengthen Incident Response for Hybrid Environments

Incident response processes must account for complex IT, OT, and connected device ecosystems, meaning security teams must base decisions on real-time device visibility, communication context, and operational criticality. 

When organizations work to improve cyber resilience through improved incident response capabilities, they can consider:

• Incorporating continuous device and network visibility into incident response workflows to ensure response teams are operating from an accurate, real-time view of the environment.
• Using communication behavior, protocol activity, and network relationships to identify affected assets rather than relying solely on static asset inventories.
• Mapping device and system dependencies to understand how incidents may impact downstream workflows.
• Prioritizing response actions using a combination of device criticality, communication patterns, and operational impact rather than just severity scores.
• Supporting containment and isolation decisions with live network communication data and observed behavior to reduce unnecessary disruption to unaffected systems.
• Coordinating response across security, IT, and operations teams through a shared understanding of device roles, relationships, and risk context.

Plan for Recovery as a Core Capability

Recovery speed is a core tenet of any cyber resilience plan. Organizations need to prepare so they can restore operations quickly and safely while reducing uncertainty. 

When improving cyber resilience and improving recovery speed, organizations should consider:

• Using asset inventory, behavioral baselines, and device risk context, like known vulnerabilities and patch status, to identify trusted systems for restoration.
• Prioritize recovery of devices and systems that are critical to manufacturing operations, factoring in both operational role and risk exposure.
• Validating device integrity using expected communication patterns, protocol behavior, and configuration context, rather than relying solely on system availability.
• Correlating device behavior, risk scoring, and patch intelligence to accelerate trust decisions
• Supporting phased operational restoration by grouping devices based on risk level, patch status, and operational dependencies.
• Guiding systems back to a known-good operational state by identifying configuration drift, applying patches, and enforcing hardening measures during recovery.

Asimily: Connected Device Visibility to Support Supply Chain Security

Asimily supports medical device manufacturers by helping them gain control over their complex, connected production and distribution environments. In modern manufacturing, where IT, OT, and connected devices are tightly integrated, disruptions in one area can quickly cascade into broader operational and supply chain delays.

Asimily’s passive monitoring and protocol-aware analysis enable medical device manufacturers to gain comprehensive visibility into all connected assets, including industrial systems, embedded devices, and IoT/IoMT endpoints. Building on this visibility, Asimily enables targeted segmentation strategies based on device behavior, risk, and communication patterns. By identifying critical assets, mapping dependencies, and highlighting high-risk connections, organizations can reduce lateral movement and better contain potential incidents before they impact manufacturing workflows.

By combining visibility, risk prioritization, and adaptive segmentation, Asimily helps manufacturers strengthen operational resilience so they can reduce disruption, accelerate recovery, and maintain continuity across the medical device supply chain.