Jul 10 2023

5 Questions About SBOMs for Healthcare Organizations

What is a software bill of materials, or SBOM, and what does it mean for connected medical device security?

The software bill of materials is emerging as a key ingredient for healthcare organizations to ensure medical device security and supply chain management.

The SBOM, a “list of ingredients that make up software components,” as defined by the U.S. Cybersecurity and Infrastructure Security Agency, helps identify software in connected medical devices such insulin pumps and MRI machines that contain security vulnerabilities. If left unmitigated, these can be exploitable by malicious actors to disrupt care delivery.

Here’s what healthcare organizations need to know about how SBOMs fit into an overall security plan, and why a mature security program must keep up with finding and patching the latest vulnerabilities. 

Click the banner below to dive deeper into zero trust and its benefits for healthcare.

1. What is a Software Bill of Materials? Why is it Important?

An SBOM is a list of all the tools used in a specific piece of software, including dependencies, origins and update history. Because 75 percent of code bases are composed of open-source software, the exact components are often unknown. Yet when a critical vulnerability is discovered, organizations must quickly determine if it appears anywhere in their software systems.

2. What Are the Benefits of SBOM Adoption for Healthcare?

Cyberattacks on healthcare organizations can have devastating results. A recent Proofpoint study suggests that cyberattacks can have a serious impact on patient care and outcomes. A single vulnerability in a software component can have a profound impact on patient health, privacy and safety. SBOMs make it easier for organizations to find out if their code is affected by a critical vulnerability and prioritize patching it.

3. How Can SBOMs Improve Medical Device Security?

Healthcare relies on connected medical devices, such as pacemakers and insulin pumps. But 53 percent of devices have known critical vulnerabilities that can enable malicious actors to access the provider’s network. SBOMs provide visibility into which components are affected, creating a roadmap to quickly identify which devices are at risk and mitigate any critical vulnerabilities.

EXPLORE: How a managed security service provider van support your organizational needs.

4. Can SBOMs Play a Role in Supply Chain Security? 

SBOMs help the buyer, the manufacturer and the end user. They facilitate open communications regarding vulnerabilities across the entire medical device supply chain, giving developers information needed to track supply chain relationships. By providing transparency, SBOMs lead to faster vulnerability identification and remediation, reducing cybercriminals’ ability to carry out attacks via connected devices. And they do this without significantly increasing software production costs.

5. What Are Some SBOM Regulations and Standards?

Updated U.S. Food and Drug Administration guidance requires new medical device applicants to provide SBOMs for each new software version. There are three accepted formats for SBOMs: CycloneDX, Software Package Data Exchange (SPDX) and Software Identification tags (SWID), all readable by tools such as vulnerability scanners. Guidance regarding what to include can be found in “The Minimum Elements For a Software Bill of Materials (SBOM)” published in response to the White House’s cybersecurity executive order.

iunewind/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.