SBOMs to play an expanded role in healthcare cybersecurity

The healthcare industry, facing increasing cybersecurity breaches, has prompted the U.S. government to take action with new FDA mandates requiring medical device manufacturers to submit a Software Bill of Materials (SBOM) for pre-market devices.

The Omnibus Appropriations Act of December 2022 authorized the FDA to establish cybersecurity standards for medical devices.(1) 

Under their current mandate, all medical device manufacturers are now required to submit a Software Bill of Materials (SBOM) for their pre-market devices. The new legislation highlights the importance of SBOMs as part of a cybersecurity infrastructure and introduces enhanced protection to healthcare businesses and their patients. 

Cyber Attacks Grow

The new legislation comes after a number of cybersecurity incidents in the healthcare sector. According to reports, healthcare cyber attacks in the U.S. more than doubled from 2016 to 2021, putting medical devices at risk and exposing the private health information of nearly 42 million people.(2) 

A number of factors have contributed to the escalating threats: 

●    Value of healthcare data. Healthcare organizations hold a wealth of sensitive and valuable information, including personal health records, financial data and insurance details.

●     Inadequate cybersecurity measures. Many healthcare organizations have historically prioritized patient care and medical operations over cybersecurity, leading to gaps in security measures and outdated systems.

●     Interconnectivity and data sharing. The healthcare industry is increasingly reliant on interconnected systems and data sharing to facilitate patient care, coordination among providers, and access to medical records. This interconnectedness can create entry points for cyberattacks.

●     Human error. With its large workforce and complex operations, healthcare is particularly susceptible to human-related vulnerabilities. This includes falling victim to phishing attacks, using weak passwords, improper handling of data or accidental disclosure of sensitive information.

●     Insider threats, Employees or contractors may pose insider threats by exposing sensitive information. Insider threats can arise from lack of awareness, inadequate training, or malicious intent.

●     Ransomware attacks: Cybercriminals use ransomware to encrypt critical healthcare systems and data, demanding ransom payments in exchange for restoring access. The urgency of patient care and the potential impact on patient safety make healthcare organizations more likely to pay the ransom. 

Healthcare cybersecurity breaches can cause catastrophic damage to organizations and compromise patient privacy and safety. Medical devices, including pacemakers, defibrillators, mobile cardiac telemetry, and insulin pumps can be compromised by cybercriminals, leading to falsified monitor readings, wrong diagnoses, or drug overdoses, among other risks.(3) 

Additionally, security threats can cause massive direct and indirect financial losses, reputation damage, and disruptions in patient care. Not to mention, organizations may face costly regulatory and legal consequences. 

It’s no surprise that given the above, along with an evolving threat landscape, the U.S. government is taking action. The latest legislation will force healthcare organizations to keep pace with the latest cybercriminal tactics. One essential countermeasure is the inclusion of SBOMs.

What is an SBOM?

An SBOM is an inventory that provides detailed information about the various software components, libraries, frameworks, and dependencies in a particular software product. 

It includes details such as the names and versions of the components, their suppliers or vendors, licensing information, and any known vulnerabilities associated with them. In short, the SBOM serves as a record of the software's building blocks, enabling organizations to better manage and secure their software supply chain. 

The U.S. government previously acknowledged the significance of SBOMs in enhancing software security and has prioritized their adoption in initiatives like the National Telecommunications and Information Administration (NTIA) to bolster software supply chain security. By mandating SBOMs, the government aims to improve supply chain security, enable better risk assessment, and facilitate prompt vulnerability management as part of its effort to strengthen the cybersecurity infrastructure of healthcare organizations. 

In addition to the benefits above, the implementation of SBOMs brings several other advantages to the healthcare sector. 

One crucial aspect is the enhanced collaboration and information sharing among stakeholders. By having access to comprehensive SBOMs, healthcare organizations can engage in productive discussions with software developers and vendors, fostering a collaborative approach to addressing security vulnerabilities. Such an exchange of information promotes knowledge sharing and best practices as well as continuous improvements in software security.