Protecting the Software Supply Chain with SBOMs

As the world becomes more connected and relies more heavily on technology, cybersecurity has skyrocketed up the list of concerns. Of course, all industries are susceptible to cyberattacks but in some sectors the consequences are far graver than others. It goes without saying that healthcare is one of those sectors.  

While connected medical devices have completely revolutionized the medical industry, the increased connectivity means that the healthcare sector is increasingly vulnerable to cybersecurity risks. According to IBM, the number of global connected medical devices could exceed over 50 billion in the next decade. All devices, from defibrillators and pacemakers to insulin pumps are now connected to wireless networks and are open to cyber-attacks. This puts healthcare providers and the lives of patients at serious risk, with one of the greatest threats being unavailability of medical devices.  

During the COVID-19 pandemic, ransomware and other cyberattacks on healthcare organizations have spiked. There have been a number of heavily publicized events in the US. In July of 2021, DuPage Medical Group, an Illinois-based physician group notified 600,000 patients that their personal health information was exposed when the computer network was hacked.   

A recent article by GlobalData Healthcare underscored the severity of the issue.

“Hackers can use personal healthcare information to target victims with fraudulent schemes related to their medical history, create fake insurance claims to buy/sell medical equipment, or acquire illegal prescription medications for their own gain or for resale. Unlike credit card information or personal identification information, medical history cannot be changed, making it much more valuable on the black market. Over 41 million individuals in the US alone were affected by healthcare data breaches in 2021, according to reports of breaches affecting 500 individuals or more by the US Department of Health and Human Services (HHS) Office of Civil Rights.”

According to the article, the problem has continued to grow in 2022 where cases affecting more than 22.5 million people in the US are under investigation. This represents an increase of 4.6% when compared to the same time last year. The largest of these breaches was a network server breach at Shields Health Care Group, affecting as many as two million individuals and involving personal information, home and billing addresses, diagnoses, and other medical or treatment information.

Cybersecurity breaches hit an all-time high in 2021, exposing a record number of patients’ protected health information (PHI), according to a report from cybersecurity company Critical Insights.

What Can Be Done to Strengthen Software Supply Chains 

Growing concern within the industry is the reason why US President Joe Biden issued an Executive Order (EO) on strengthening the nation’s cybersecurity infrastructure. This executive order pointed to software bill of materials (SBOMs) as a way of ensuring the safety and security of software supply chains across US critical infrastructure.  

This advice was quickly acted upon. In July 2021, The NTIA published ‘The Minimum Elements for a Software Bill of Materials’. The FDA published guidance on medical device security (pre-market), which once again pointed to SBOMs as a means to strengthen software supply chains. The IMDRF also released long-awaited draft guidance related to SBOMs and medical device cybersecurity.   

While a software bill of materials is not a cure-all, the industry can benefit hugely from implementing SBOMs across the medical device supply chain.  

To recap on some of things we’ve written previously, an SBOM is much like an ingredients list for software. The software bill of materials (SBOM) provides a list of all software components within a given device. Items listed within an SBOM include libraries, drivers, firmware, licenses, and operating systems. Within the healthcare industry SBOMs provides greater transparency and enables medical device manufacturers and healthcare operators to identify vulnerabilities and monitor medical device security more effectively.   

Using SBOMs to Strengthen Software Supply Chains  

Currently, when looking to identify and manage vulnerabilities, organizations check the National Vulnerability Database for common vulnerabilities and exposures. However, without an SBOM, there’s no way to identify the components of a software package. An SBOM thus gives developers, buyers and users of software a way to track software dependencies across supply chains, manage vulnerabilities and anticipate emerging risks. 

SBOMs tighten security across the entire supply chain by making it easier to perform vulnerability scanning and undertake patching. SBOMs provide increased visibility of components and make it easier to spot potential vulnerabilities. They also make it easier to solve issues at the source and stop cyber attackers before a breach is capitalized upon.  

We’ve said it before but it’s not difficult to deduct why Joe Biden’s Executive Order put such focus on SBOMs. A supply chain is only as strong as its weakest link and in highly regulated sectors such as healthcare, an undiscovered software vulnerability can provide the entry point for a costly security breach.  

While an SBOM can’t prevent undiscovered vulnerabilities, it can surface issues earlier and greatly reduce the likelihood that these vulnerabilities are left exposed. In this way, SBOMs could provide the key to building more resilient and robust software supply chains.

If you want to learn more about SBOMs, their benefits and who uses them, why not check out one of our most recent articles where we provide answers to some of the most frequently asked questions about SBOMs.

SelectEvidence and SBOMs 

SelectEvidenceTM is an expert cybersecurity risk assessment platform that guides medical device manufacturers through the process of identifying applicable vulnerabilities and identifying the right security controls to mitigate those risks. It provides device manufacturers with an intelligent, automated, and traceable approach to cybersecurity assessments. SelectEvidenceTM does this by continually monitoring SBOMs across all connected medical devices.

The simple and automated ingestion of each SBOM makes it easier and faster to start monitoring and managing risk. SelectEvidenceTM scans over 180K vulnerabilities in real time, harnessing automation for 24/7 peace of mind. The solution provides specific and actionable mitigations for every vulnerability found. 

Learn more about SelectEvidence® and download a free information sheet on our Solutions page

Image credit – Photo by ThisisEngineering RAEng on Unsplash
Photo by Franck on Unsplash
Photo by Ash Edmonds on Unsplash 
Photo by Max Duzij on Unsplash