Healthcare delivery has never been more connected, or relied on such complex digital supply chains. That also means healthcare delivery providers have never faced a wider attack surface with more interconnected software vulnerabilities or cybersecurity-related risk.
One of the technologies that shows promise in helping the industry to better manage software supply chain security and reduce these risks is a Software Bill of Materials (SBOMs). SBOMs are essentially a structured record that describes the components, libraries, and modules within software. While they can help shore-up software security issues in every industry, healthcare is in an especially acute need because connected healthcare devices tend to remain deployed for decades and patients’ health can be placed at risk if security teams or local IT admins can’t instantly recognize where at-risk software components are deployed within their environment.
“SBOMs are a technology that really needs to happen,” says John Pescatore, director of emerging security trends at the SANS Institute.
“It's really needed, because the modern way of developing software is no longer a team of coders going and writing a bunch of unique code. Instead, they're pulling modules from all over the place. And sometimes they might pull the wrong module that's not up to date. It's really needed to support automated tools that can identify when you have 12 different versions of some library in 12 different applications,” he says.
However, before such capabilities become widely available within healthcare delivery organizations, challenges such as standardization of the naming of components, data sharing and machine-readability across organizations, and implementation costs and complexity must be overcome.
“It's really needed, because the modern way of developing software is no longer a team of coders going and writing a bunch of unique code. Instead, they're pulling modules from all over the place. And sometimes they might pull the wrong module that's not up to date."
— John Pescatore, SANS Institute
And while consensus-building toward data sharing and exchange standards are underway, getting widespread agreement may take time. Christopher Gates, director of product security at therapeutic and diagnostic active medical devices maker, Velentium and author of the book Medical Device Cybersecurity for Engineers and Manufacturers, agrees that it’ll take time to see widespread use of SBOMs, but the benefits will be substantial when the technology can be put to wide use.
“It’s not here yet, but in time it’ll be possible for [healthcare delivery organizations] to incorporate SBOMs with their asset management systems,” says Gates. That way, when a critical vulnerability that’s being actively exploited does arrive, security or admins can quickly vet their environment for vulnerable systems. “That'll let us know, of our 2,000 ventilators, half of them are running this vulnerable version, the other half are not running this vulnerable version. That will enable the provider to take quick action to remediate or reach out to the manufacturer and ask them what they are doing regarding a patch.”
The move to standardize SBOM generation and consumption in healthcare organizations is being conducted by a mix of government mandates, industry guidance, working groups, and competing SBOM standards. For instance, this past December, the Consolidated Appropriations Act, 2023 was signed into law. That act introduced additional medical device manufacturer requirements that make certain such devices meet minimum cybersecurity standards, including that medical device makers submit an SBOM that lists all critical components used by their device including off-the-shelf and open source software to the U.S. Food and Drug Administration. The new law also requires medical device makers monitor, identify, and take steps to correct or mitigate vulnerabilities and exploits for their products after they ship. This includes creating firmware and software updates, and coordinated disclosure efforts.
Following the Consolidated Appropriations Act, 2023 the FDA issued its Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act [.pdf] guidance. That guidance mandates SBOMs be provided for each new medical device software version.
To date, there are three acknowledged standards helping SBOM adoption in healthcare. These include CycloneDX, Software Package Data Exchange (SPDX), and the software identifier format, Software Identification tags (SWID). Each type is machine readable for consumption by related security tools such as asset management systems and vulnerability assessment software and services. More detailed information is available within The Minimum Elements For a Software Bill of Materials (SBOM).
Hopefully in the not-too-distant future, SBOMs will help healthcare delivery organizations to know, at least on their newer equipment, what systems are at risk and what steps they can take for mitigation. “If they have a system on a pole mount or roll away device in a healthcare delivery system, the security engineers will be able to see what software is in that system and know what needs to be updated. And if the situation warrants it, they’ll know whether or not to unplug it or engage with the manufacturer [for a remedy.]”
There are considerable challenges that remain, Gates explains, such as software component naming conventions and device identification. But, he explains, that the healthcare industry does have one advantage over the other 15 critical infrastructure industries.
“The healthcare industry does have an advantage over other industries: unique device identifiers. While this hasn’t been done yet, it has been discussed, and it’s possible to scan those unique device identifiers and link the device with an SBOM, possibly using just a smartphone and instantly identify what you need to know about what’s inside that device,” says Gates.
“There’s a long way to go before we get there, but there’s a lot of people working on these challenges,” Gates says.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.