Are SBOMs moving the needle for improving medical device cybersecurity?

Topics:
Tools & processes
This is some text inside of a div block.
Vulnerability management
This is some text inside of a div block.
Om Mahida
Om Mahida

March 28, 2024

Are SBOMs moving the needle for improving medical device cybersecurity?

By Om Mahida, Medcrypt VP of Product

A common question I hear is “what’s the point of a Software Bill of Materials (SBOMs)”? It’s a really good question, as no one should blindly adopt a new technology with the assumption it will solve all your problems — something SBOMs were never intended to do. SBOMs are like the ingredient lists on a nutrition label, but for the software of a technological device.

SBOMs help increase transparency in a world where supply chain related cybersecurity incidents continue to increase, including the latest cybersecurity incident, the United/Change Health hack, which has thus far impacted millions of Americans and is costing health systems at least $100 million a day in damages.

The root cause seems to be a publicly known vulnerability that was exploited within days of making it to CISA’s KEV list. Would SBOMs have prevented this? Perhaps — but the real solution goes beyond SBOMs and requires healthcare technology companies to shift security “left” (figure 1). Let’s take a step back and rewind the clock a few years to see how we got here.

Figure 1: Understanding the Constraints of Healthcare Cybersecurity by Medcrypt

In 2016, I started focusing on improving cybersecurity in medical devices. I realized if I could help medical devices become more secure, cybersecurity in healthcare would improve, and the burden of cybersecurity on hospitals and patients would lessen. In late 2018, a couple of years into building the Medcrypt platform, we started obsessing over the question, “How can we detect the next Heartbleed”? That’s when we realized we were framing the problem and solution space inaccurately.

The real state of healthcare cybersecurity

First, there are endpoint security tools that can detect security issues once publicly known well. Second — and most importantly — if we tried to detect a vulnerability like Heartbleed, it was already too late. Could we shift left? Was there a way to give device manufacturers visibility into what they were shipping on their devices? What was the root cause? How could they stay ahead of security issues?

We realized a critical flaw in the medical device cybersecurity process: most product teams did not know what dependencies they had shipped and what was still out in the field.

How could they monitor and address vulnerabilities with that limited knowledge? It started to dawn on us that one of the biggest problems was clearly determining the dependencies in a device, a problem we now know as “SBOM generation” — and more importantly, identifying vulnerabilities from SBOMs. In 2018, SBOM was not a known acronym (a lot of people still said S-B-O-M or asked how to spell it), no format had gained traction, and some of us referred to it as a CBOM, or Cybersecurity Bill of Materials. The CBOM includes a software and a hardware bill of materials under one group.

European Commission

Today, the space has undergone significant transformation. Recently in the EU, the policy makers of the Cyber Resilience Act (EU CRA) announced stringent regulations mandating the reporting of new vulnerabilities to national regulators and the European Network and Information Security Agency (ENISA) within 24 hours. This swift action aims to promptly identify and address potentially severe zero-day vulnerabilities. Additionally, the FDA recently implemented requirements for SBOMs in new medical device submissions, marketing a pivotal step taken almost three years after the issuance of the White House’s Executive Order on SBOMs to bolster software supply chain security.

The White House Executive Order on Improving the Nation’s Cybersecurity

While the hype surrounding SBOMs’ necessity is fantastic, it’s essential to acknowledge a potential diversion from the ultimate objection amidst this heightened attention.

What is the end goal?

As a healthcare ecosystem of manufacturers, regulators, clinicians, and patients, we want our software and devices to be updated and patched with security updates on a regular basis to ensure the best possible care. We want an increase in visibility of the dependencies that ship so we can stay on top of upgrades and patches, all to decrease the risk of cybersecurity incidents that could impact patients. These are the goals that have been top of mind at Medcrypt as we’ve built Helm, our SBOM and vulnerability management tool, in addition to our full cybersecurity suite over the past eight years.

Picking the right SBOM tool

With Helm, we focus not only on SBOM management, we help product security teams at medical device manufacturers cut through the high rates of false positives (or even false negatives) that affects most of today’s tooling, decreasing the burden of R&D teams by giving them tools to accelerate triaging vulnerabilities, including:

  • the ability to rescore vulnerabilities at scale — thousands in seconds
  • alerting them of which vulnerabilities pose the highest exploitability risk (they have active exploits and/or are in the CISA KEV catalog)
  • enabling them to easily integrate via an API
  • helping the quality and regulatory teams in documenting how they meet the FDA’s premarket and postmarket cybersecurity requirements.

Helm stands out as the preferred SBOM management tool by consistently identifying a greater number of genuine vulnerabilities pertinent to medical devices compared to other solutions, coupled with an unmatched precision level approximately 20%* higher than industry standards, thus effectively mitigating the risk of false positives becoming an unmanageable burden, especially in contexts where multiple SBOMs with extensive dependencies are involved.

SBOMs represent a pivotal tool in the arsenal of cybersecurity teams, particularly within the healthcare sector. However, the focus of SBOMs should not simply stop at generating and sharing SBOMs. SBOMs need to be utilized fully, and integrated into comprehensive cybersecurity frameworks, to help medical device companies improve their cybersecurity posture.

The right SBOM tool will enhance transparency and accountability, decrease the alert fatigue R&D teams face, safeguard critical infrastructure and patient safety. The healthcare industry needs to ‘shift left’ and embrace SBOMs as catalysts for proactive defense to fortify resilience against cyber threats.

*data on file

Medcrypt is demonstrating an SBOM analysis during the live webinar on April 3, 2024. Register here to reserve your spot and learn more.

Interested in learning more about how Medcrypt helps medical device manufacturers meet regulatory requirements? Contact us at info@medcrypt.com and visit us at medcrypt.com to discover our full suite of medical device cybersecurity products and services.

Related articles

2024 H-ISAC Fall Summit: Cybersecurity in Healthcare with Medcrypt
This is some text inside of a div block.

2024 H-ISAC Fall Summit: Cybersecurity in Healthcare with Medcrypt

Thought leadership
This is some text inside of a div block.
Company
This is some text inside of a div block.
All authors
All authors

The Overlooked Cyber Threat to Diagnostic Devices: Lessons from Synnovis Cyberattack and Beyond
This is some text inside of a div block.

The Overlooked Cyber Threat to Diagnostic Devices: Lessons from Synnovis Cyberattack and Beyond

Tools & processes
This is some text inside of a div block.
Vulnerability management
This is some text inside of a div block.

December 13, 2024

Navigating the Evolving Landscape of Medical Device Cybersecurity
This is some text inside of a div block.

Navigating the Evolving Landscape of Medical Device Cybersecurity

Thought leadership
This is some text inside of a div block.

December 4, 2024

Subscribe to Medcrypt news

Get the latest healthcare cybersecurity news right in your inbox.

We'll never spam you or sell your information