With examples from recent cyberattacks, a white paper from MedCrypt analyzes the history and use-cases of the software bill of materials as well as the challenges of implementing new security measures.

MedCrypt Inc., a cybersecurity solution provider for medical devices and manufacturers, has released a white paper on the digital transformation of the healthcare industry and the value of software transparency. Using examples from recent healthcare attacks, the paper analyzes the history and use-cases of the software bill of materials (SBOM) and the challenges organizations face in implementing new security measures.

Titled “Benefiting from Software Transparency: From SBOM to vulnerability management,” the white paper explores the evolution of medical device development and explains why traditional engineering tools lack the ability to address the entire range of security processes requirements—premarket through postmarket—set by the U.S. FDA.

“The healthcare industry understands the importance and increased need for better security measures, but in the wake of an ongoing global crisis, efforts and resources are focused on the continued care of patients,” says Mike Kijewski, CEO of MedCrypt. “Organizations are in need of support in order to create a security strategy quickly, and MedCrypt’s newly-launched consulting services are meant to act as that resource to help organizations reach regulatory compliance now.”

SBOMs are the food labels of the tech world—a complete list of every “ingredient” in a piece of software that uniquely identifies each component, including the version and other relevant descriptors, where applicable. In the United States, the FDA has signaled its plan to require SBOMs and timely patching from all manufacturers, as the regulatory body has requested an incremental budget and increased regulatory authority.

“The healthcare industry is moving from a pre-SBOM world toward a future where SBOMs are ubiquitous, and vulnerabilities are monitored and disclosed in a way that’s efficient and scalable,” says Shannon Lantzy, MedCrypt’s vice president of consulting. “Every MDM [medical device manufacturer] we speak to is at a different stage in the SBOM journey. Some are focusing on vulnerabilities in the premarket stage, while others are focused on postmarket management. All want to reduce the burden of manually dispositioning vulnerabilities. Our consulting services will help MDMs identify weaknesses in their current processes, as well as the best path to scale.”

For organizations, the integration of SBOMs across product life cycles comes with many challenges, ranging from inconsistent software component naming to the management of the complexities of the SBOM itself, to organizational challenges such as determining which groups are responsible for vulnerability identification, disposition, mitigation, and disclosure.

On November 1, MedCrypt began offering “SBOM Readiness Lightning Assessment” sessions to the first five medical device manufacturers who reach out via email ([email protected]). The purpose of the sessions is to identify gaps in current vulnerability management programs and provide recommendations on steps toward becoming SBOM-ready and optimizing to scale.

Last month, MedCrypt announced the launch of its suite of consulting services. Combining cybersecurity with management consulting, decision science, and regulatory strategy, MedCrypt offers MDMs help with every part of the process from business strategy to product architecture assessments, process reengineering to change management, and threat modeling to regulatory strategy.