What’s under the hood of a medical device? Software bill of materials hits inflection point
This is the first in an ongoing series on the growing cybersecurity risks of medical devices.
For years, FDA has talked about the need for a software bill of materials, an electronically readable inventory of third-party components in devices, as a way to address the problem of widespread cyber vulnerabilities.
The SBOM got a major boost with President Joe Biden’s executive order in MY aimed at bolstering the nation’s cybersecurity posture by, among other actions, enhancing software supply chain security.
Momentum from that order combined with a multi-stakeholder initiative headed by the Department of Commerce’s National Telecommunications and Information Administration, designed to improve software component transparency across several industries including medtech, may have created an inflection point for SBOM.
It’s critical medical device manufacturers provide SBOMs to “better understand exposure to risk of both known and future vulnerabilities in third-party software in legacy devices,” Kevin Fu, acting director of device cybersecurity at the FDA’s Center for Devices and Radiological Health, told MedTech Dive in June.
Many older medical devices in operation today — using outdated or insecure software — were not built with cyber protections in mind. SBOM proponents contend that without such visibility, healthcare providers, such as hospitals, are often unaware they’re using devices with components that can be easily exploited by hackers.
By standardizing the process for sharing this data, device users can better understand what exactly is running on their networks and how to safeguard them, according to the rationale.
FDA has supported NTIA’s SBOM effort from its 2018 inception helping to develop the schemas, formats and other outputs from the multi-stakeholder initiative that the National Institute of Standards and Technology could ultimately leverage in its software integrity guidelines in fulfillment of Biden’s executive order.
Suzanne Schwartz, director of CDRH’s Office of Strategic Partnerships and Technology Innovation, told MedTech Dive in August the agency wants to require SBOMs upfront for medtechs as part of their premarket submissions.
“It doesn’t help for [SBOM] to be held only within the manufacturer’s records but rather where the opportunity for the mitigation of risk is with that transparency,” FDA’s Schwartz said. “The owners and operators of devices be they hospitals, healthcare facilities, providers and patients should have awareness of [SBOM] and that requirement is something we are working towards with respect to a future legislative proposal.”
However, FDA intends to go beyond just mandating an inventory of third-party software components in devices.
The HHS fiscal year 2021 congressional budget justification states that FDA is seeking a statutory requirement for a “phased-in approach to a Cybersecurity Bill of Materials (CBOM)” that would include, but would not be limited to, a list of commercial, open source and off-the-shelf software and hardware components “that are or could become susceptible to vulnerabilities.”
The software-focused SBOM would be a part of the larger CBOM requirement, according to FDA, which would include risk management of hardware-centric third-party cybersecurity risks.
What healthcare delivery organizations don’t know about their own medical devices is staggering, putting them at risk from cyberattacks. A recent survey from the Ponemon Institute found only 36% of groups surveyed consider themselves effective in knowing where all medical devices are, while just 35% indicated they know when a device vendor’s operating system is end-of-life or out-of-date.
Allan Friedman, NTIA’s former director of cybersecurity initiatives and currently with the Cybersecurity and Infrastructure Security Agency, warns that once a vulnerability is discovered, the lack of such an inventory of third-party components makes it very difficult for healthcare providers to know which of their medical devices are impacted and how to execute a mitigation strategy.
“You can’t defend what you don’t know about.”
Cybersecurity and Infrastructure Security Agency
Friedman credits Biden’s executive order, which will change federal procurement regulations, with “raising the profile” of SBOM and software supply chain transparency as well as “priming the pump” for the active standards that have been developed at NTIA over the past three years.
Asked if FDA requiring SBOMs to be submitted as part of premarket submissions is a good idea, Friedman declined to answer. However, he made the case that understanding “what’s under the hood” of a medical device allows healthcare providers to determine quickly of whether they are affected by newly discovered cyber vulnerabilities.
Roadmap for hackers or defenders?
The SBOM concept is predicated on third-party component information contained in a machine-readable format that can be easily shared with healthcare providers, among other stakeholders. But the data could also be potentially accessed and exploited by cybercriminals and in the process actually make a medical device more vulnerable to an attack.
At least, that is what the medical device industry fears.
“There are certain guardrails that we just want to make sure from a common sense perspective are in place. In the context of issuing SBOMs, they really should be in a secure environment so that the general public just can’t access them,” said Zach Rothstein, AdvaMed’s vice president for technology and regulatory affairs.
While NTIA calls it a common misconception and concern, the agency acknowledges that theoretically such a scenario is possible as “all information is dual-edged.”
The agency contends that the “defensive benefits of transparency far outweigh this common concern as SBOMs serve more as a ‘roadmap for the defender'” rather than being a dangerous source of sensitive data for hackers to use to target medical devices.
FDA’s 2018 Medical Device Safety Action Plan put the industry on notice that it was mulling requiring companies to develop SBOMs as part of premarket submissions and to make them available to healthcare users.
AdvaMed’s formal comments questioned the benefits of SBOMs given the the inherent risks of information getting into the wrong hands and warned that the burden of implementation for healthcare providers was too great.
The lobby also said it was concerned about the lack of proper controls around the sharing and maintenance of SBOMs, warning that if the electronically readable documents were stored in a publicly available central database it could allow hackers to learn which software is operating within a device and expose patients to potential harm.
“There may be a period of time in which a device could be at heightened risk for exploitation after the discovery of a vulnerability — until it is mitigated — if the information contained in an SBOM is obtained by a nefarious actor,” AdvaMed warned.
AdvaMed recommended that “limitations should be imposed on the access to SBOM information, such as permitting only hospital network operators access to the information” in order to “ensure appropriate risk management is in place and unintended consequences are mitigated.”
NTIA seems open to this kind of access control having made it a part of the agency’s guidelines issued in July for the minimum elements of an SBOM.
“Many suppliers, including open source maintainers and those with widely available software, may feel their interests are best served by making SBOM data public. Other organizations, especially at first, may wish to keep this data confidential, and limit access to specific customers or users,” NTIA states.
Overall, Rothstein says that the medtech industry is supportive “as a general proposition” of SBOM, particularly as a potential solution in helping to defend older legacy medical devices against growing cyber threats.
But AdvaMed also wants to see uniform standards to ensure device manufacturers provide the same information and “don’t have to create 10 different versions of the same document” to meet the SBOM requirement, according to Rothstein.
Ultimately, NTIA concludes that if SBOMs are to be successfully implemented across many industries it will require both broad rules and policies, as well as specific areas of flexibility.
Friedman acknowledges this fundamental tension that exists “between the benefits of a one-size-fits-all approach” to SBOM that “scales more easily and makes it easier to build out tools and policies” versus “sector-specific” formulations for industries such as medtech that remain to be worked out.