The Role of SBOMs in Medical Device Risk Management 

A software bill of materials (SBOM) is an inventory of all software components (proprietary and open source), open-source licenses, and dependencies in a given product. Items listed within an SBOM include libraries, drivers, firmware, licenses, and operating systems.  

SBOMs have a broad range of uses for stakeholders including: 

Security: Within the healthcare industry, SBOMs provides greater transparency and enables medical device manufacturers and healthcare operators to identify vulnerabilities and monitor medical device security more effectively. Knowing the components of software installed on a device can save hundreds of hours in the risk analysis, vulnerability management, and remediation processes.  

Compliance: As a result of President Biden’s Executive Order, those providing software to the federal government need to provide SBOMs as part of the federal procurement process. 

Procurement: A growing number of organizations are requesting SBOMs when buying and integrating software. Sharing SBOMs increases visibility, transparency and trust. This all leads to stronger relationships between medical device manufacturers and healthcare delivery organizations.  

Indeed, there are multiple benefits of using an SBOM across the total product life cycle:   

                    • An improved ability to identify software components contained in a device.  
                    • Better identification of suspicious software components and vulnerabilities.  
                    • More secure software development.  
                    • The ability to resolve security flaws quicker and more efficiently.  
                    • Increased software transparency among vendors and increased consumer trust.  
                    • Improve licensing governance.  
                    • Greater supply chain resiliency.  

One use case that we want to delve into in a little more detail is the role of SBOMs in medical device risk management. 

What is Medical Device Risk Management?  

Medical device risk management is the continuous process of identifying security vulnerabilities within a medical device and implementing plans to address them. It is an integral part of the medical device product development lifecycle. Risk management allows medical device manufacturers to ensure that their product works as expected and that all the necessary steps are being taken to adequately secure a device, limit threats and minimize risks. In other words, risk management is about finding weaknesses in medical device software and making sure they are properly addressed. 

In April, the FDA published an overhauled draft guidance on medical device cybersecurity for submitting a premarket submission. Within it, the following was said about medical device risk management.  

“To fully account for cybersecurity risks in devices, the safety and security risks of each device should be assessed within the context of the larger system in which the device operates. In the context of cybersecurity, security risk management processes are critical because, given the evolving nature of cybersecurity threats and risks, no device is, or can be, completely secure. Security risk management should be part of a manufacturer’s quality system.”  

The importance of medical device risk management is clear and the advent of SBOMs is making the process all the easier. In fact, in the last number of years, SBOMs have emerged as a crucial component of the entire software supply chain risk management process. An SBOM gives developers, buyers and users of software a way to track software dependencies across supply chains, manage vulnerabilities and anticipate emerging risks.  

Medical Device Risk Management and IMDRF 

In July 2022, The International Medical Device Regulators Forum (IMDRF) published draft guidance for ‘Principles and Practices for Software Bill of Materials (SBOM) for Medical Device Cybersecurity’. The draft guidance provided users with a high-level description of an SBOM and best practices for the generation and use of them.  

This draft guidance outlined some of the ways that SBOMs are being used in the medical device risk management process. It looked at how SBOMs are making life easier for two different types of stakeholders – medical device manufacturers and healthcare providers. When it comes to medical device risk management, some of the best advice and insights can be found within this document. 

Medical Device Risk Management for Manufacturers 

For medical device manufacturers, it is suggested that they consider the entire software supply chain when generating SBOMs for risk-management purposes. This includes software and software dependencies that are developed internally or externally and included in the device. Dependencies can include such things as libraries, operating systems, TCP/IP stacks, and compilers. 

SBOMs have made a number of risk management activities much easier and more effective for medical device manufacturers. This includes: 

                    • Hazard Analysis: SBOMs can be used to identify potential cyber security vulnerabilities associated with known software components. 
                    • Risk Evaluation: SBOMs provide information about potential vulnerabilities that may exist, including their potential exploitability and impact. This can be used to estimate and evaluate the level of risk associated with a particular vulnerability. 
                    • Risk Control: Monitoring and routinely updating an SBOM with known vulnerabilities helps to keep risks at an acceptable level. 
                    • Lifecycle risk management: An SBOM can be provided as part of product security documentation to HCPs at purchase and throughout the device’s life cycle. 


Medical Device Risk Management for Healthcare Providers
 

SBOMs are similarly important to healthcare providers. The role of SBOMs in the risk management process starts in the pre-procurement phase where healthcare professionals are being advised to request an SBOM for any devices that are integrated into their network infrastructure. Requesting an SBOM allows for greater transparency and awareness. It also allows the healthcare provider to have more faith in what they’re buying.    

By being provided with SBOMs, healthcare providers are more informed about what’s in a device and what risks are associated with it. They can then apply more effective control measures and mitigation strategies across the device life cycle.  

SBOMs and Medical Device Risk Management  

In the past, medical device cybersecurity has primarily been a reactionary process but the tide is beginning to turn. With cyberattacks on the rise and the threatscape becoming more and more sophisticated, both medical device manufacturers and healthcare providers need to think about security throughout a product’s life cycle. In this regard, the rise of SBOMs can only be a good thing as it allows for better supply chain resiliency, increased visibility of potential vulnerabilities and a greater ability to resolve security flaws when they occur.  

For those looking to incorporate SBOMs into their risk management process, SelectEvidence™ is a powerful tool that simplifies and streamlines the process. SelectEvidence™ is an expert cybersecurity risk assessment platform that guides medical device manufacturers through the process of identifying applicable vulnerabilities and identifying the right security controls to mitigate those risks. It provides device manufacturers with an intelligent, automated, and traceable approach to cybersecurity assessments. SelectEvidence™  does this by continually monitoring SBOMs across all connected medical devices. 

To learn more about SelectEvidence™, and its role in medical device risk management, you can organize an obligation-free demo here.