MDRF Publishes Long-Awaited Draft Guidance Related to SBOMs and Medical Device Cybersecurity  

The International Medical Device Regulators Forum (IMDRF) has published draft guidance for ‘Principles and Practices for Software Bill of Materials (SBOM) for Medical Device Cybersecurity’. Much anticipated, it is intended that this document will set the standard for SBOM creation, distribution and maintenance.   

It has been said many times before but while the increased connectivity of medical devices has made patient care more efficient, effective and data driven, it has created a real security challenge. The rise of connected medical devices has made the healthcare sector a valuable target for cyber attackers and the sector has been hit with a number of high-profile attacks in recent times. This has led to a need to completely re-examine security laws, regulations and processes. 

In the United States of America, authorities have been placing a much greater emphasis on medical device cybersecurity and strengthening cybersecurity posture. In previous articles, we’ve spoken of the impact of Joe Biden’s Cybersecurity Executive Order and some of the healthcare cybersecurity standards and best practices that have been launched as a result of this executive order. On our blog we’ve discussed how FDA published draft guidance on medical device cybersecurity (pre-market) as well as guidance released by Healthcare Supply Chain Association (HSCA) to help protect patient health, safety and privacy. 

Using SBOMs to Strengthen Medical Device Cybersecurity  

In this great re-examination of cybersecurity laws and regulations, SBOMs have been repeatedly highlighted as a means to strengthen cybersecurity and ensure software supply chain security.  

                      • Within the Executive Order, Biden tasked the National Telecommunications and Information Administration (NTIA) and the Commerce Department with defining the minimum elements of an SBOM. Learn more here.   
                      • The EO also cited a requirement for vendors to provide an SBOM as part of the federal procurement process.  
                      • Within FDA’s overhauled draft guidance on medical device cybersecurity for submitting a premarket submission, SBOMs were identified as one of the five key protocols for managing risk. Learn more here.  
                         

The benefits of using an SBOM across the total product life cycle include (but are not limited to): 

                      • An improved ability to identify software components contained in a device,  
                      • More secure software development,  
                      • Increased software transparency among vendors, 
                      • Better identification of suspicious software components.  


Principles and Practices for Software Bill of Materials (SBOM) for Medical Device Cybersecurity’
 


Now in July 2022, The International Medical Device Regulators Forum (IMDRF) has published draft guidance for ‘
Principles and Practices for Software Bill of Materials (SBOM) for Medical Device Cybersecurity’. The draft guidance document provides a high-level description of an SBOM and best practices for the generation and use of an SBOM. Its purpose is to provide greater detail on the implementation of SBOM and software transparency as relevant to medical device stakeholders, including MDMs, healthcare providers (HCPs), and regulators. 

As was emphasized in the preceding IMDRF medical device cybersecurity guidance, the draft guidance continues to recognize that cybersecurity is a shared responsibility among stakeholders.  

The draft guidance document is intended to:

                      • Provide recommendations for medical device manufacturers in SBOM generation, management, and distribution; 
                      • Provide recommendations to healthcare providers on ingestion and management of an SBOM; and 
                      • Demonstrate SBOM use cases for risk management, vulnerability management, and incident response from the perspective of medical device manufacturers and healthcare providers. 

Key Considerations for Medical Device Manufacturers and Healthcare Providers

For medical device manufacturers, the draft guidance delves into key considerations related to SBOMs. This includes collecting SBOM content, how to generate SBOMs, advantages and disadvantages of different distribution methods and how to monitor for vulnerabilities. It also addresses some of the challenges that come with implementing SBOMS across the product life cycle, including generating an SBOM for legacy devices.

The draft guidance also looks at how medical device manufacturers can use centralized repositories, which provide a more streamlined way for customers to access information and can be used as part of an automated process.

For healthcare providers, the draft guidance explores key considerations such as ingesting and managing SBOMs. It also lists the advantages and disadvantages of various SBOM ingestion methods.

“With the scale and scope of devices in a healthcare provider’s environment, to be practically useful, an SBOM needs to be ingested in an automated way. Automation also aids in the management of the SBOM going forward as SBOMs may be updated over time. As a part of hospital operations, organizations may leverage a security information and event management (SIEM) software solution that can, among other things, collect, store, aggregate, and analyze data from networked devices, servers, etc.”

The draft guidance also offers a number of SBOM use cases including using SBOMS in risk management, vulnerability management, and incident management. For the team here it is also incredibly exciting to see standards authored by Nova Leah Founder, Dr. Anita Finnegan, specifically called out within the document.

Conclusion 

This draft guidance document is a significant step towards a more secure and robust environment for medical device manufacturers, healthcare delivery organizations and, ultimately, patients. The proposed document is open to for public comment until 30 August 2022. A link to the document can be found here.