This is the first in an ongoing series on the growing cybersecurity risks of medical devices.

For years, FDA has talked about the need for a software bill of materials, an electronically readable inventory of third-party components in devices, as a way to address the problem of widespread cyber vulnerabilities.

The SBOM got a major boost with President Joe Biden’s May executive order aimed at bolstering the nation’s cybersecurity posture by, among other actions, enhancing software supply chain security.

Momentum from that order combined with a multi-stakeholder initiative headed by the Department of Commerce’s National Telecommunications and Information Administration, designed to improve software component transparency across several industries including medtech, may have created an inflection point for SBOM.

It’s critical medical device manufacturers provide SBOMs to “better understand exposure to risk of both known and future vulnerabilities in third-party software in legacy devices,” Kevin Fu, acting director of device cybersecurity at the FDA’s Center for Devices and Radiological Health, told MedTech Dive in June.

Many older medical devices in operation today — using outdated or insecure software — were not built with cyber protections in mind. SBOM proponents contend that without such visibility healthcare providers, such as hospitals, are often unaware they’re using devices with components that can be easily exploited by hackers.

By standardizing the process for sharing this data, device users can better understand what exactly is running on their networks and how to safeguard them, according to the rationale.

FDA has supported NTIA’s SBOM effort from its 2018 inception helping to develop the schemas, formats and other outputs from the multi-stakeholder initiative that the National Institute of Standards and Technology could ultimately leverage in its software integrity guidelines in fulfillment of Biden’s executive order.

Suzanne Schwartz, director of CDRH’s Office of Strategic Partnerships and Technology Innovation, told MedTech Dive in August the agency wants to require SBOMs upfront for medtechs as part of their premarket submissions. 

The agency has chosen 2021 to push for requiring SBOM, given Biden’s executive order and growing ransomware and other cyberattacks on healthcare organizations. 

“It doesn’t help for [SBOM] to be held only within the manufacturer’s records but rather where the opportunity for the mitigation of risk is with that transparency,” FDA’s Schwartz said. “The owners and operators of devices be they hospitals, healthcare facilities, providers and patients should have awareness of [SBOM] and that requirement is something we are working towards with respect to a future legislative proposal.” 

However, FDA intends to go beyond just mandating an inventory of third-party software components in devices. 

The HHS fiscal year 2021 congressional budget justification states that FDA is seeking a statutory requirement for a “phased-in approach to a Cybersecurity Bill of Materials (CBOM)” that would include, but would not be limited to, a list of commercial, open source and off-the-shelf software and hardware components “that are or could become susceptible to vulnerabilities.”

The software-focused SBOM would be a part of the larger CBOM requirement, according to FDA, which would include risk management of hardware-centric third-party cybersecurity risks.

What healthcare delivery organizations don’t know about their own medical devices is staggering, putting them at risk from cyberattacks. A recent survey from the Ponemon Institute found only 36% of groups surveyed consider themselves effective in knowing where all medical devices are, while just 35% indicated they know when a device vendor’s operating system is end-of-life or out-of-date.   

Allan Friedman, NTIA’s former director of cybersecurity initiatives and currently with the Cybersecurity and Infrastructure Security Agency, warns that once a vulnerability is discovered the lack of such an inventory of third-party components makes it very difficult for healthcare providers to know which of their medical devices are impacted and how to execute a mitigation strategy.

“You can’t defend what you don’t know about.”

Allan Friedman

Cybersecurity and Infrastructure Security Agency

Friedman credits Biden’s executive order, which will change federal procurement regulations, with “raising the profile” of SBOM and software supply chain transparency as well as “priming the pump” for the active standards that have been developed at NTIA over the past three years. 

Leave a Reply

Your email address will not be published. Required fields are marked *