This is the first in an ongoing series on growing medical device cybersecurity risks.
For years the FDA has talked about the need for a software nomenclature, an electronically readable inventory of third-party components in devices, as a means to address the issue of pervasive cyber vulnerabilities.
SBOM received a major boost with President Joe Biden’s executive order in May aimed at strengthening the country’s cybersecurity posture, among other actions, by improving the security of the software supply chain.
The momentum of this order combined with a multi-stakeholder initiative led by the National Telecommunications and Information Administration of the Ministry of Commerce, designed to improve the transparency of software components in several sectors, including medical technologies, may have created an inflection point for SBOM.
It is essential that medical device manufacturers provide SBOMs to “better understand the risk exposure of known and future vulnerabilities in third-party software in legacy devices,” Kevin Fu, acting director of cybersecurity for the companies, told MedTech. devices at the FDA’s Center for Devices and Radiological Health. Dive in June.
Many older medical devices in use today – using outdated or insecure software – were not designed with cyber protections in mind. Supporters of SBOM argue that without such visibility, healthcare providers, such as hospitals, are often unaware that they are using devices with components that can be easily exploited by hackers.
By standardizing the process of sharing this data, device users can better understand what exactly works on their networks and how to protect them, according to logic.
The FDA has supported the NTIA’s SBOM effort since its inception in 2018, helping to develop the blueprints, formats, and other outcomes of the multi-stakeholder initiative that the National Institute of Standards and Technology could ultimately leverage in its integrity guidelines. software in execution of Biden’s decree.
Suzanne Schwartz, director of CDRH’s Office of Strategic Partnerships and Technological Innovation, told MedTech Dive in August that the agency wanted to require SBOMs in advance for medical technologies as part of their pre-submission submissions to the marketing.
The agency chose 2021 to push to demand SBOM, given Biden’s decree and more and more ransomware and other cyber attacks against healthcare organizations.
“It doesn’t help for [SBOM] be kept only on the manufacturer’s records, but rather where the opportunity to mitigate risk lies in that transparency, ”said FDA’s Schwartz. “The owners and operators of devices, whether they are hospitals, healthcare establishments, providers and patients [SBOM] and this requirement is something we are working on with regard to a future legislative proposal. ”
However, the FDA intends to go beyond simply requiring an inventory of third-party software components in devices.
HHS 2021 Congressional Budget Rationale Says FDA Seeks Legal Requirement for a “Progressive Approach to a Cybersecurity Nomenclature (CBOM)” that would include, but not be limited to, a list of components source and out-of-the-box software and hardware “that are or may become vulnerable to vulnerabilities”.
The software-focused SBOM would be part of the broader CBOM requirement, according to the FDA, which would include the management of hardware-centric third-party cybersecurity risks.
What healthcare delivery organizations don’t know about their own medical devices is staggering, putting them at risk of cyberattacks. A recent survey by the Ponemon Institute found that only 36% of groups polled consider themselves good at knowing where all medical devices are located, while only 35% indicated that they know when a vendor’s operating system is device is at the end of its life or obsolete. .
Allan Friedman, former director of cybersecurity initiatives at NTIA and currently with the Cybersecurity and Infrastructure Security Agency, warns that once a vulnerability is discovered, the lack of such an inventory of third-party components makes it very difficult for them. health care providers are impacted and how to execute a mitigation strategy.
“You can’t stand up for what you don’t know.”
Cybersecurity and Infrastructure Security Agency
Friedman credits Biden’s executive order, which will amend federal procurement regulations, to “raise the profile” of SBOM and software supply chain transparency as well as “pump priming” for active standards that have been developed at NTIA over the past three years.
When asked if the FDA requiring that SBOMs be submitted as part of pre-market submissions is a good idea, Friedman declined to answer. However, he argued that understanding “what’s under the hood” of a medical device allows healthcare providers to quickly determine whether or not they are affected by recently discovered cyber vulnerabilities.
Roadmap for pirates or defenders?
The SBOM concept relies on third-party component information contained in a machine-readable format that can be easily shared with healthcare providers, among other stakeholders. But the data could also potentially be accessed and exploited by cybercriminals and in doing so, make a medical device more vulnerable to attack.
At least that’s what the medical device industry fears.
“There are some safeguards that we just want to make sure, from a common sense perspective, are in place. In the context of the show SBOM, they really should be in a secure environment so that the general public simply cannot access them, ”said Zach Rothstein, AdvaMed vice president for technology and regulatory affairs.
While the NTIA calls it a misconception and a common concern, the agency acknowledges that theoretically such a scenario is possible because “all information is a double-edged sword.”
The agency argues that “the defensive benefits of transparency far outweigh this common concern, as SBOMs serve more as a ‘roadmap for the defender'” rather than a dangerous source of sensitive data than hackers can use it to target medical devices.
FDA’s 2018 Medical Device Safety Action Plan warned industry it is considering requiring companies to develop SBOM as part of pre-marketing submissions and make them available to healthcare users.
AdvaMed official comments questioned the benefits of SBOMs given the inherent risks of information falling into the wrong hands, and warned that the burden of implementation on healthcare providers was too great.
The lobby also said it was concerned about the lack of proper controls around the sharing and maintenance of SBOM, warning that if the electronically readable documents were stored in a central, publicly accessible database, it could allow hackers to know what software is running in a device and expose patients to potential harm.
“There may be a period during which a device could be exposed to an increased risk of exploitation after a vulnerability is discovered – until it is mitigated – if the information in a SBOM is obtained by an infamous actor “, AdvaMed warned.
AdvaMed recommended that “limitations be placed on access to SBOM information, such as allowing only hospital network operators to access information “to” ensure that appropriate risk management is in place and unintended consequences are mitigated “.
The NTIA seems open to this type of access control, having integrated it into the agency’s program. guidelines published in July for the minimum elements of a SBOM.
“Many vendors, including open source maintainers and those with widely available software, may think their interests are best served by SBOM public data. Other organizations, especially at the beginning, may wish to keep this data confidential and limit access to specific customers or users “, NTIA States.
Overall, Rothstein says the medical technology industry supports SBOM “as a general proposition”, particularly as a potential solution to help defend older medical devices from growing cyber threats.
But AdvaMed also wants to see uniform standards to ensure that device manufacturers provide the same information and “don’t have to create 10 different versions of the same document” to meet SBOM requirements, according to Rothstein.
Ultimately, NTIA concludes that if SBOM need to be implemented successfully in many sectors, this will require both general rules and policies, as well as specific areas of flexibility.
Friedman recognizes this fundamental principle voltage that exists “between the advantages of a one-size-fits-all approach” and SBOM which “more easily adapts and facilitates tool and policy development” versus “sector specific” formulations for industries such as medical technology which remain to be developed.