Why SBOMs are the Future of Medical Device Security

If you have been following us on social media or keeping up to date on our blog, you may have noticed a theme emerging of late. Over the past few months, we have been exploring SBOMs in great detail. 

Amongst other things we’ve looked at:

You may have wondered why such an emphasis was being placed on SBOMs. The answer to this question is quite simple: SBOMs are now a staple of effective cybersecurity for medical devices and quite possibly the future of medical device security

In this blog post, we’ll examine some of the key reasons why.  

1. SBOMs offer a ‘ecosystem-wide’ solution 

How do you strengthen the cybersecurity of an entire industry, especially one as complex and impactful as the medical device/healthcare industry? 

The NTIA recently released a two-page SBOM overview which details why SBOMs have been so keenly advocated. In the document the NTIA paints a fascinating picture of the medical device industry, the cybersecurity challenges the industry faces and the united effort needed to tackle these challenges.

“Most software depends on third-party components (libraries, executables, or source code), but there is very little visibility into this software supply chain…

If users don’t know what components are in their software, then they don’t know when they need to patch. They have no way to know if their software is potentially vulnerable to an exploit due to an included component – or even know if their software contains a component that comes directly from a malicious actor.

The reality is this: when a new risk is discovered, very few organizations can quickly and easily answer simple, critical questions such as: “Are we potentially affected?” and “Where is this piece of software used?” This lack of systemic transparency into the composition of software across the entire digital economy contributes substantially to cybersecurity risks as well as the costs of development, procurement, and maintenance.”

The above highlights the fact that a software supply chain is only as strong as its weakest link. The summary goes on to describe how software components used in medical devices come from many different industries and any solution that is used to enhance medical device security must work across the entire ecosystem. 

Requiring all medical device manufacturers to produce a software bill of materials (SBOM) on all products and standardizing the use of SBOMs provides the medical device industry with the type of ‘ecosystem-wide’ approach that is needed to tackle the challenge of cybersecurity.  

What is a 510(k)?

2.  SBOMs can increase the transparency and security of software supply chains

Ever since Joe Biden issued an Executive Order on strengthening the nation’s cybersecurity infrastructure, there has been a lot of discussion regarding software supply chains and what is needed to effectively secure software supply chains. 

In a document titled ‘Role and Benefits for SBOMs Across the Supply Chain’, the NTIA provided a very useful introduction to software supply chains. In doing so, it also showcased how supply chains fall apart when there is a lack of visibility and transparency. See extract below:

“Even before software was widespread, organizations thought about multi-stage production

processes through the lens of the supply chain: each stage of production takes inputs from a previous stage and adds their own skills and contributions to produce outputs that a subsequent stage can use. At one end are the most basic components, such as raw materials, and at the other end are the final users or consumers of the product. 

It’s useful to think of modern-day software development as a supply chain:

                    • Software developers write code that fulfils a need, then make it available freely or commercially.
                    • Other developers with similar needs find that code and include it in their own software.
                    • At some point, a product manufacturer assembles software components into a product.
                    • End users acquire and operate the finished product.

The supply chain is a simple model of how products are made, but it doesn’t answer every possible question. What happens when something goes wrong with a link in the chain?”

For many years there has been limited visibility into what makes up a piece of software, its supply chain and the third-party components. This lack of visibility has left software supply chains in a vulnerable state. When there’s no transparency, it can be very difficult to find solutions when breaches occur. Unless there is a certain level of transparency, software supply chains are vulnerable to security and compliance risks. 

SBOMs provide a full list of all components within a given medical device. This provides the level of transparency needed to properly secure software supply chains. While an SBOM can’t prevent undiscovered vulnerabilities, it can surface issues earlier and reduce the likelihood that these vulnerabilities are left exposed. This greatly improves the resiliency of the entire supply chain. 

A more in depth look into how SBOMs can protect supply chains can be found here.

3. Authorities have repeatedly identified SBOMs as a means to strengthen software supply chains

At Nova Leah, we are incredibly confident when we say that SBOMs are the future of medical device security. One reason for this confidence is simply down to the actions being taken by lawmakers and governing bodies and the repeated focus being placed on SBOMs. 

In the medical device industry, we are currently undergoing a total re-examination of cybersecurity laws and regulations. Within this, SBOMs have been repeatedly highlighted as a means to strengthen cybersecurity and ensure software supply chain security.  

                    • Within the Executive Order (mentioned above), President Biden tasked the National Telecommunications and Information Administration (NTIA) and the Commerce Department with defining the minimum elements of an SBOM. The EO also cited a requirement for vendors to provide an SBOM as part of the federal procurement process.  
                    • Within FDA’s overhauled draft guidance on medical device cybersecurity for submitting a premarket submission, SBOMs were identified as one of the five key protocols for managing risk. Learn more here.  
                    • The Healthcare Supply Chain Association (HSCA) released guidance for medical device manufacturers and healthcare providers to help safeguard patient health, safety, and privacy. The use of SBOMs was, once again, advocated within this guidance document. 
                    • In May 2022, US Senators Bill Cassidy and Tammy Baldwin introduced the Protecting and Transforming Cyber Health Care (PATCH) Act. The PATCH Act was created with the specific intention of enhancing medical device security at the premarket stage. Amongst other things, the act advocates the use of a software bill of materials (SBOM) as a means to strengthen cybersecurity. 

While SBOMs alone are not enough to solve all problems related to medical device cybersecurity, it’s obvious that they have a huge role to play and will be a huge part of medical device security for years to come. But how do organizations fully embrace SBOMs and get the most out of them from a security perspective? If you work in the medical device space and want to find out more, get in touch today.

SBOMs and SelectEvidence™

SelectEvidence™ is an expert cybersecurity risk assessment platform that guides medical device manufacturers through the process of identifying applicable vulnerabilities and identifying the right security controls to mitigate those risks. It provides device manufacturers with an intelligent, automated, and traceable approach to cybersecurity assessments. SelectEvidence™  does this by continually monitoring SBOMs across all connected medical devices. 

To learn more about SelectEvidence™, and its role in medical device risk management, you can organize an obligation-free demo here.  
Image credit:
Photo by Irwan iwe on Unsplash
Photo by Roman Grachev on Unsplash
Photo by National Cancer Institute on Unsplash