The Security Benefits of a Software Bill of Materials (SBOM) 

The software bill of materials, or SBOM, provides a list of all software components within a given device. Items listed within an SBOM include libraries, drivers, firmware, licenses, and operating systems. Given the obvious similarities, an SBOM is often depicted as a nutrition label or ‘ingredients list’ for software. Within the healthcare industry SBOMs provides greater transparency and enables medical device manufacturers and healthcare operators to identify vulnerabilities and monitor medical device security more effectively.  

In a previous post, we discussed Joe Biden’s Executive Order on strengthening the nation’s cybersecurity infrastructure. Within this Executive Order, SBOMs were highlighted as a means to strengthen cybersecurity and ensure software supply chain security across US critical infrastructure. The EO cited a requirement for vendors to provide an SBOM as part of the federal procurement process and Joe Biden tasked the National Telecommunications and Information Administration (NTIA) with defining the minimum elements of an SBOM. (We discussed these minimum elements in a recent blog post.) 

When it comes to strengthening the world’s cybersecurity infrastructure, you may wonder why there is such an emphasis being placed on SBOMs? In this blog post, we will attempt to answer that question. 

Benefits of SBOMs in Healthcare 

1. Increased Visibility of Components and Potential Vulnerabilities   

In its two-page SBOM overview, the NTIA stated the following: 

Software vulnerabilities are the by-product of both the human process of developing software and the increasingly frequent target of attacks into the software supply chain. If users don’t know what components are in their software, then they don’t know when they need to patch. They have no way to know if their software is potentially vulnerable to an exploit due to an included component – or even know if their software contains a component that comes directly from a malicious actor.” 

When it comes to securing medical devices, a parable is often made with the automobile industry. Every once in a while, a vehicle manufacturer might spot a defective component within a vehicle and order a recall. They do this so that vehicles can be repaired or even replaced before something goes wrong. The reason that vehicle manufacturers are able to carry out such recalls and then take the necessary steps to fix the issue is because they keep a bill of materials. By standardizing SBOMs, the cybersecurity industry is edging towards this type of efficiency and ability to patch defective products at scale.  

If there is one thing that everyone in the cybersecurity community can agree on it’s that you can’t secure what you do not know. One of the key reasons for using SBOMs is to provide manufacturers with greater visibility of what’s going on ‘under the hood’. Knowing the components of software installed on a device can save hundreds of hours in the risk analysis, vulnerability management, and remediation processes. 

 2. Resolve Security Flaws Quicker and More Efficiently 

A 2021 study titled ‘Building resilient medical technology supply chains with a software bill of materials’ describes how the 2017 WannaCry attack took advantage of a slow and cumbersome vulnerability scanning process.   

“Vulnerabilities in common third-party components can—and have—greatly impacted delivery of patient care. For instance, the WannaCry attack in May 2017 infected 200,000 computers in hospital systems across 150 countries. These exploits leveraged a vulnerability in several versions of Microsoft Windows for which a patch had been issued in March 2017, two months prior to the attack. In the absence of a published software bill of materials (SBOM), builders such as medical device manufacturers and operators such as healthcare delivery organizations (HDOs) likely would have had to manually inventory systems to detect the vulnerable software versions. These resource-intensive processes can contribute to delays in patch validation, patch installation, and consequently, inoculation of systems.” 

SBOMs tighten security across the entire supply chain by making it easier to perform vulnerability scanning and undertake patching. This is an area that is particularly relevant to Nova Leah. SelectEvidence® auto-ingests and performs continuous vulnerability monitoring of SBOMs. Once again, this allows for issues to be resolved quicker and more effectively.  

3. Deeper Transparency and Increased Consumer Trust  

In November 2019, the NTIA carried out a use case for the ‘Roles and Benefits for SBOM Across the Supply Chain’. Within this use case, the NTIA provided a list of benefits for those that are ‘producing software’, ‘choosing software’ and ‘operating software’ respectively. You can read the full list of benefits, from all three perspectives, here. A benefit that impacts all three parties centred around how SBOMs builds trust.  

An organization can provide an SBOM to a customer or downstream partners to help assure them that the company is providing a high-quality product that meets customers’ legal and security needs. Being proactive can offer a competitive advantage as SBOM adoption increases, and may ultimately become a common market expectation or requirement. An up-to-date SBOM can also reassure downstream consumers about the current security status of a product in their possession.” 

Shared SBOMs means increased visibility, transparency and trust. This all leads to stronger relationships between medical device manufacturers and healthcare delivery organizations. 

4. Improve Licensing Governance 

SBOMs adoption can help enhance software licensing governance. Every piece of software comes with a license that specifies how it may be used and distributed legally. Using SBOMs enables an organization to know and comply with the license obligations of the components used. SBOMs enable companies to assess licensing risk. Organizations can conduct due diligence and avoid moving non-compliant software into production. In this way, SBOMs improve the cybersecurity hygiene of the medical device supply chain. 

 5. Greater Supply Chain Resiliency 

It’s possible that one of the reasons why Joe Biden’s Executive Order put such focus on SBOMs is the belief that a supply chain is only as strong as its weakest link. In highly regulated sectors such as healthcare, an undiscovered software vulnerability can provide the entry point for a costly security breach. While an SBOM can’t prevent undiscovered vulnerabilities, it can surface issues earlier and help reduce the likelihood that these vulnerabilities are left exposed. This greatly improves the resiliency of the entire supply chain.  

SelectEvidence and SBOMs  

SelectEvidence® from Nova Leah is an expert cybersecurity risk assessment platform. The first-of-its-kind platform guides medical device manufacturers through the process of identifying applicable threats to their products and implementing the right security controls to mitigate those threats.

A key component of SelectEvidence® involves the simple and automated ingestion of SBOMs which are continuously monitored for vulnerabilities. Learn more about SelectEvidence® and download a free information sheet on our Solutions page