The Parties
HopingToGetCareHospital is a regional hospital network with a formal vendor approval process. Medical devices go through procurement review before any purchase order is raised. The approved vendor list exists precisely to ensure the hospital only buys from verified, certified suppliers.
WhiteListedVendorCo is the approved medical device supplier. FDA-cleared. ISO 13485 certified. Audited two years prior. No adverse findings on record. For every purpose the hospital's procurement team can see, WhiteListedVendorCo is a safe choice.
VendorToWhiteListedVendor is a contract manufacturer in Eastern Europe. WhiteListedVendorCo subcontracts all physical board assembly to them. The hospital does not know this arrangement exists.
OriginalRawPartSupplier is the microcontroller source VendorToWhiteListedVendor has used for four years. Reliable. Known. Currently non-operational — political instability in its country has collapsed the supply pipeline.
ReplacedRawPartSupplier is a vendor VendorToWhiteListedVendor has never worked with before. They were contacted by email. They replied with a price quote. That is the entirety of the due diligence.
HopingToGetCareHospital believed it was buying from one trusted supplier. In reality, it was depending on a four-tier chain with no visibility into subcontracting, component substitution, or upstream supplier assurance.
The Story
HopingToGetCareHospital's procurement committee raises a purchase order for 1,200 infusion pump controllers. WhiteListedVendorCo is on the approved vendor list. FDA-cleared. Audited two years prior. No flags. The order is approved.
What HopingToGetCareHospital does not know — because it never asked — is that WhiteListedVendorCo does not manufacture the controller boards. Assembly is subcontracted to VendorToWhiteListedVendor. No disclosure. No contractual requirement to disclose.
VendorToWhiteListedVendor sources microcontrollers from OriginalRawPartSupplier. That supplier is mid-crisis. Lead times have tripled. The delivery deadline for WhiteListedVendorCo is not moving.
VendorToWhiteListedVendor's procurement manager contacts ReplacedRawPartSupplier for the first time. No audit. No site visit. One email exchange and a price quote.
ReplacedRawPartSupplier ships on time. The chips look right. The test bench passes. Nobody checks the firmware. There is no SBOM from ReplacedRawPartSupplier. There is no PUF-based attestation on the components. VendorToWhiteListedVendor does not require it. WhiteListedVendorCo does not require it. HopingToGetCareHospital does not require it.
The infusion pumps pass incoming inspection at HopingToGetCareHospital and go live across three wards.
Eleven weeks later, a biomedical engineer runs a routine firmware audit. The hash on the controller board does not match WhiteListedVendorCo's documentation. WhiteListedVendorCo has no documentation for that hash — because they never generated one. VendorToWhiteListedVendor has no record of which chips came from which supplier.
HopingToGetCareHospital cannot identify which units are compromised. All 1,200 pumps are pulled from service. Four tiers. Zero attestation. Patients on affected wards moved to manual monitoring.
How the Failure Unfolded
- Why was WhiteListedVendorCo not contractually required to disclose subcontracted manufacturing?
- Why did HopingToGetCareHospital approve the supplier relationship without sub-tier visibility requirements?
- Why were supplier substitution events not treated as high-risk changes requiring revalidation?
- Why did VendorToWhiteListedVendor have no minimum due diligence standard before sourcing from a first-time vendor?
- Why were SBOMs, firmware baselines, and component attestation not required anywhere in the procurement or assurance process?
- Why was component traceability weak enough that compromised units could not be identified individually?