1. What is a Software Bill of Materials? Why is it Important?
An SBOM is a list of all the tools used in a specific piece of software, including dependencies, origins and update history. Because 75 percent of code bases are composed of open-source software, the exact components are often unknown. Yet when a critical vulnerability is discovered, organizations must quickly determine if it appears anywhere in their software systems.
2. What Are the Benefits of SBOM Adoption for Healthcare?
Cyberattacks on healthcare organizations can have devastating results. A recent Proofpoint study suggests that cyberattacks can have a serious impact on patient care and outcomes. A single vulnerability in a software component can have a profound impact on patient health, privacy and safety. SBOMs make it easier for organizations to find out if their code is affected by a critical vulnerability and prioritize patching it.
3. How Can SBOMs Improve Medical Device Security?
Healthcare relies on connected medical devices, such as pacemakers and insulin pumps. But 53 percent of devices have known critical vulnerabilities that can enable malicious actors to access the provider’s network. SBOMs provide visibility into which components are affected, creating a roadmap to quickly identify which devices are at risk and mitigate any critical vulnerabilities.
4. Can SBOMs Play a Role in Supply Chain Security?
SBOMs help the buyer, the manufacturer and the end user. They facilitate open communications regarding vulnerabilities across the entire medical device supply chain, giving developers information needed to track supply chain relationships. By providing transparency, SBOMs lead to faster vulnerability identification and remediation, reducing cybercriminals’ ability to carry out attacks via connected devices. And they do this without significantly increasing software production costs.
5. What Are Some SBOM Regulations and Standards?
Updated U.S. Food and Drug Administration guidance requires new medical device applicants to provide SBOMs for each new software version. There are three accepted formats for SBOMs: CycloneDX, Software Package Data Exchange (SPDX) and Software Identification tags (SWID), all readable by tools such as vulnerability scanners. Guidance regarding what to include can be found in “The Minimum Elements For a Software Bill of Materials (SBOM)” published in response to the White House’s cybersecurity executive order.