Getty Images/iStockphoto

Using Software Bill of Materials (SBOMs) For Medical Device Security

Software bill of materials (SBOMs) enable healthcare organizations to manage medical device security risks while promoting transparency between manufacturers and providers.

A software bill of materials (SBOM) provides a list of all software components in a given device, enabling transparency by allowing device manufacturers, buyers, and operators to identify and mitigate vulnerabilities and manage medical device security more efficiently.

In May 2021, President Biden’s executive order on improving the nation’s cybersecurity directed the US Department of Commerce, along with the National Telecommunications and Information Administration (NTIA), to publish guidance outlining the minimum elements for a software bill of materials.

The executive order pointed to SBOMs as a way to ensure software supply chain security across US critical infrastructure.

For healthcare, SBOMs have the potential to mitigate medical device security vulnerabilities, which could pose serious risks to healthcare organizations if exploited.

Many healthcare organizations do not know how many medical devices are active on their network at any given time, and out-of-date devices that can no longer be patched or updated potentially provide an easy opening for hackers.

While a software bill of materials is not a cure-all for healthcare cybersecurity vulnerabilities, the industry may be able to benefit from implementing SBOMs to enable open communication about vulnerabilities across the medical device supply chain.

What is a software bill of materials?

“Analogous to an ingredients list on food packaging, an SBOM is a list of all included software components,” a 2021 study published in npj digital medicine explained.

“SBOMs provide a transparency mechanism for securing software product supply chains by enabling faster identification and remediation of vulnerabilities, towards the goal of reducing the feasibility of attacks. SBOMs have the potential to benefit all supply chain stakeholders of medical technologies without significantly increasing software production costs. Increasing transparency unlocks and enables trustworthy, resilient, and safer healthcare technologies for all.”

SBOMs must be in a machine-readable format and contain information about software components, their dependencies, and their hierarchical relationships.

SBOMs are relevant to many industries and can help organizations with emergency management and software licensing. If a defect or vulnerability is found, the SBOM can be used as a reference point so that users and manufacturers can quickly locate the source of the issue and fix it.

In 2019, NTIA released a proof-of-concept report outlining the scope, benefits, and use cases of SBOMs in healthcare. NTIA worked with healthcare organizations and medical device manufacturers to create and integrate SBOMs into existing processes.

The report demonstrated that SBOMs produced by medical device manufacturers could be successfully consumed and implemented by healthcare organizations to provide a level of transparency and insight that was not previously available.

SBOMs are valuable in that they involve every stakeholder and provide visibility to manufacturers, buyers, clinicians, and industry regulators.

Benefits of SBOMs in healthcare

“Reliance on third-party components to deliver needed functionality carries with it the potential for increased risk. For example, a single vulnerability in a third-party component upstream can potentially have profound downstream impacts on patient health, privacy, and safety,” the npj digital medicine study stated.

“In the absence of a published software bill of materials (SBOM), builders such as medical device manufacturers and operators such as [healthcare organizations] likely would have had to manually inventory systems to detect the vulnerable software versions. These resource-intensive processes can contribute to delays in patch validation, patch installation, and consequently, inoculation of systems.”

The need for SBOMs in healthcare is increasing as experts continue to unearth more medical device security vulnerabilities. 

Experts have identified medical device security challenges as some of the biggest threats to healthcare cybersecurity, and that trend is likely to continue as bad actors find innovative ways to access healthcare networks.

“Software vulnerabilities are both the byproduct of the human process of developing software and the increasingly frequent target of attacks into the software supply chain,” NTIA stated in its “SBOM overview”.

“If users don’t know what components are in their software, then they don’t know when they need to patch. They have no way to know if their software is potentially vulnerable to an exploit due to an included component – or even know if their software contains a component that comes directly from a malicious actor.”

Visibility into security vulnerabilities is the main driver for creating SBOMs in healthcare. In the event of a cyberattack, SBOMs provide healthcare organizations with a roadmap to rapid vulnerability detection. Organizations can use SBOMs to guide their detection and containment strategies.

SBOM implementation, downsides, and challenges

“The path to successful SBOM implementation is not an easy one,” a MedCrypt white paper explained.

“Technical and execution challenges are plenty, ranging from inconsistent software component naming to the management of the complexities of the SBOM itself, to organizational challenges such as determining which groups are responsible for vulnerability mitigation.”

NTIA’s proof-of-concept report found that although healthcare organizations were able to work with medical device manufacturers to implement SBOMs into their operations, it was challenging to conform to a standard digital format.

A lack of standard universal resource identifiers (URIs) for the SBOM attributes made implementation more challenging, but not impossible. With a unified, cross-industry approach, manufacturers and customers could streamline technical processes.

“Each device contains hundreds if not thousands of software components and each healthcare delivery organization has thousands if not ten-thousands of medical devices on their network,” MedCrypt reasoned.

The number of moving parts and quantity of data presents implementation challenges that cannot be ignored.

Medical device manufacturers, regulators, and healthcare organizations each have a prominent role in monitoring massive amounts of data. Regulators are responsible for maintaining awareness of risks to patient safety and public health. Manufacturers play a role in identifying vulnerabilities, matching those vulnerabilities to software components, and pushing patches to device owners.

Healthcare organizations then have to identify the infected devices and deploy patches and updates. An SBOM can help to simplify these roles, but some believe that they could do more harm than good. Establishing industry-wide trust in the value of SBOMs is a big hurdle that must be overcome to allow for successful implementation.

One of the main concerns with SBOMs is that they could be used as a roadmap for an attacker to easily identify and exploit vulnerabilities. But NTIA asserted that the benefits of transparency significantly outweigh these concerns.

“Attackers don’t need SBOMs,” NTIA reiterated in an SBOM fact sheets. “Mass, indiscriminate attacks like WannaCry serve to remind us that foreknowledge is not a prerequisite to cause harm.”

In addition, vulnerability disclosures have been required in the industry for years, providing bad actors with any information access they might need. This arguably has not given attackers more leverage when compared to the extreme benefits of threat sharing that they provide to the healthcare sector.

“SBOMs seek to level the playing field for defenders by providing additional transparency–at enterprise scale–with standard, machine-readable decision support,” NTIA continued.

Others are concerned that the industry lacks the tools necessary to support scalable production and widespread use of SBOMs. However, companies such as Philips and Siemens have already put the theory to practice by delivering SBOMs to their customers.

“Multiple open-source and commercial tools can help builders compile, build, and maintain SBOMs. Many development environments can optionally produce SBOMs at the time the software is compiled,” the npj digital medicine study advised.

“Some code-repository tools monitor component dependencies, provide alerts for security issues in dependencies, or even automatically replace vulnerable dependencies with less vulnerable alternatives. Additionally, some standalone tools offer similar features to those mentioned above.”

Although SBOMs require some upfront investment and work, they have the potential to ease medical device security concerns and increase visibility and transparency across healthcare.

“SBOMs have a role to play in further advancing the public’s trust in connected technologies. An SBOM reveals distinctions among products, allows buyers to better account for total cost and risk, and gives buyers better tools to identify, respond to, and recover from vulnerabilities and their effects,” the study concluded.

“A growing number of regulators, builders, and operators are recognizing the value of SBOMs. All signs point to SBOM being more widely adopted in the coming years, particularly in industries where technology is life-critical and transparency is paramount. 

Next Steps

Dig Deeper on Cybersecurity strategies