The guidance promotes the use of a Software Bill of Materials to increase transparency in the software supply chain, impacting medical device security and vulnerability management.
A group of US and international cybersecurity agencies has released joint guidance outlining the use of a software bill of materials, or SBOM, to help organizations strengthen cybersecurity and reduce risk in their software supply chain.
The guidance, published Sept 3 by the US Cybersecurity and Infrastructure Security Agency, the National Security Agency, and agencies from 15 other countries, presents an SBOM as a formal record of the components used in building a piece of software—essentially a “list of ingredients.” According to the guidance, widespread adoption of SBOMs will strengthen security, reduce risk, and decrease costs for organizations that produce, choose, and operate software.
“Whether it’s an application used on a computer or the software that runs a medical device, most software incorporates components to accomplish specific tasks,” says Scott Gee, American Hospital Association deputy national advisor of cybersecurity and risk, in an announcement. “It is critical to understand what components are used in a piece of software because if a flaw is discovered in any, it could make the entire piece of software—and the organization’s network—vulnerable to attack. Without an SBOM, an organization would have no way to determine that the vulnerable component was present in their systems.”
Improving Vulnerability Management
A primary benefit outlined in the document is the enhancement of vulnerability management. With SBOM data, software operators can map a device’s dependencies to lists of known vulnerabilities and monitor for new threats. This transparency increases the speed and efficiency of responding to security risks with more targeted mitigations.
The guidance points to the 2021 Log4Shell vulnerability as an example where organizations with SBOMs had a more straightforward and efficient response. Because the vulnerable component was often a dependency of other dependencies, it was difficult to identify manually. Organizations with an SBOM were able to quickly determine if their systems were affected. For HTM teams, this capability could significantly reduce the time needed to assess and patch a hospital’s fleet of connected medical devices after a vulnerability is disclosed.
Informing Procurement and Operations
The guidance emphasizes the value of SBOMs for both “choosers” and “operators” of software—roles often filled by HTM professionals. When procuring new equipment, the ability of a manufacturer to provide an SBOM can help inform risk-based purchasing decisions.
Once a device is deployed, an SBOM allows operators to better understand their exposure to newly identified risks. This visibility helps teams triage which devices and clinical functions must be addressed first. When a patch is not immediately available, security teams can use the information to implement other precautions, such as network isolation or other compensating controls. The document states that by implementing and using SBOMs, organizations can lower costs associated with managing components and reduce downtime spent responding to vulnerabilities.
ID 85893694 © Jakub Jirsak | Dreamstime.com
