SBOMs and medical devices: An essential step — but no security cureall

The U.S. Federal Government has been hard at work releasing a plethora of guidelines — and mandates — concerning software supply chain security. The initiatives have been aimed at government institutions, their contractors, and those responsible for critical infrastructure. Now, securing the health care system’s software supply chain is front and center.

In September 2023, the Food and Drug Administration (FDA) issued their final version of “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” The guidance corresponds to the 2023 Consolidated Appropriations Act, H.R. 2617 (PDF), which calls on the FDA to acquire attestations from medical device manufacturers (MDMs) regarding their products’ cybersecurity. Manufacturers need to use the FDA guidance to submit information regarding their product’s risk mitigation efforts, use of secure development processes, plus a software bill of materials (SBOM).

Here’s what the new FDA guidelines mean, how MDMs can keep up — and what the future looks like for software supply chain security in the health care sector.

Join ConversingLabs Live with Kevin Fu: Securing Medical Devices with SBOMs

Securing medical devices is a no-brainer

The 2023 Consolidated Appropriations Act and the FDA’s “Cybersecurity in Medical Devices” guidance shouldn’t come as a shocker to the health care industry, given the vast amount of cyber attacks that have targeted health care systems, in addition to the growing threat of cyber criminals taking advantage of vulnerable medical devices.

These concerns have been growing within the federal government for years. The National Telecommunications and Information Administration (NTIA) in 2018 launched a health care proof of concept (PoC) project led by MDMs and other health care delivery organizations, which examined the feasibility of SBOMs being generated by MDMs and utilized by these organizations as part of operational and risk management approaches for medical devices at their hospitals.

The results of that PoC project, published in 2021 (PDF), generated a wealth of how-to guidance for generating, sharing, and operationalizing SBOMs between MDMs and health care delivery organizations. These results were then factored into the White House’s 2021 Executive Order on Improving the Nation’s Cybersecurity (EO 14028), and related guidance produced by other agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA), which released information last month on the need to secure medical devices.

Kevin Fu, a Professor of Electrical and Computer Engineering at Northeastern University, has been advocating for medical device security for years via his work in both the public and private sectors. In an October 2022 interview with ReversingLabs, Fu stressed that there should be a clear sense of need among MDMs and the rest of the health care industry to use SBOMs to address software supply chain security threats:

If you don't have an ingredient list of the third party software, how can you even begin to answer the question, what risks are we taking? What's the residual risk? What is our plan when software starts to get out of date?

Kevin Fu

This build up of expert consensus over the past six-plus years surrounding the need for SBOM use among MDMs has understandably brought forth this new mandate, to be regulated by the FDA. Now, MDMs and health care delivery organizations alike must comply.

Breaking down the FDA’s guidance

MDMs are already expected to comply with part (f) of Sec. 524B in H.R. 2617, which states that any medical device that meets the legislation’s definition of a “cyber device” - a product that uses software, connects to the internet, or contains any other technological characteristics vulnerable to cybersecurity threats — must submit information to the FDA that includes the following:

• A plan for how the device manufacturer deals with cybersecurity vulnerability and exploit management, including coordinated vulnerability disclosure.
• A list of processes and procedures that provide assurance that the medical device is cybersecure, including postmarket updates for the patching of both unacceptable and critical vulnerabilities.
• An SBOM that includes commercial, open-source, and off-the-shelf software components.
• Any other requirements listed by the FDA that report on the reasonable assurance that “the device and related systems are cybersecure.”

In concert with H.R. 2617, the FDA then released the final version of their “Cybersecurity in Medical Devices” guidance, superseding the agency’s original guidance on the topic released back in 2014. According to the FDA, this guidance is meant to “promote consistency, facilitate efficient premarket review, and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats,” all while complying with H.R. 2617.

While H.R. 2617 mandates MDMs to now submit such information to the FDA, the “Cybersecurity in Medical Devices” guidance serves only as a list of recommendations for how to comply, and is not absolute. If a manufacturer wishes to comply with H.R. 2617 differently from how the FDA recommends, then the MDM must contact the FDA directly for approval.

SBOMs and health care security: Just the first step

When it comes to software supply chain security, SBOMs are only the first step to ensuring that an organization is protected from software supply chain threats. This means that while this new mandate for MDMs is a huge step in the right direction, the bar will have to continue to rise for MDMs and health care delivery organizations alike when it comes to software supply chain security. What’s next for health care — like the big shift in application security more broadly — is going beyond the detection and mitigation of vulnerabilities to include the other threats posed to health care software supply chains, such as malware, software tampering, and secrets exposure.

Looking to better understand how the health care industry can manage software supply chain security? Join the conversation in our next ConversingLabs Live, which is available on-demand on LinkedIn. Host Paul Roberts interviews the medical device expert Kevin Fu.