Top 5 SBOM tools for medical device software

The last two years saw a staggering 74% surge in cyber-attacks targeting healthcare organizations, while assaults on the software supply chain have increased to an average of 610% annually since 2020. These attacks threaten the functionality and reliability of medical devices and their underlying software, erasing trust in the devices and their manufacturers and damaging brand reputation.

We all know how connected medical devices rely on software and often interface with platforms like computers, or mobile apps for data exchange, exposing them to diverse security vulnerabilities. Unfortunately, many medical device software suppliers are ill-equipped to tackle these security challenges effectively. Hence, the US Department of Health and Human Services (HHS) and the Food and Drug Administration (FDA) have introduced new regulations to increase medical device software suppliers' cybersecurity preparedness.

On May 12, 2021, President Biden signed the Executive Order On Improving the Nation’s Cybersecurity which included a mandate requiring every vendor supplying software to the federal government to furnish a software bill of materials (SBOM) alongside their product.

This directive received significant attention, particularly considering the federal government's substantial annual expenditure of nearly $100 billion on IT services. Emphasis is placed on the SBOM concept and cybersecurity as a whole. 

Nowhere are these concerns more critical than in the medical device industry, where the development of safe and secure software directly impacts lives. Today, let's explore the SBOM and its pivotal role in medical device manufacturing and cybersecurity and finally discuss some top SBOM tools for medical device software.

What is a software bill of materials (SBOM) in medical devices?

The National Telecommunications and Information Administration (NTIA) defines an SBOM as "a formal, machine-readable inventory of software components and dependencies, along with information about those components and their hierarchical relationships."

An SBOM is a comprehensive roster of all components utilized within a particular software application. Typically, this is a combination of proprietary and open-source code, with the SBOM including details such as licenses, versions, and vulnerabilities associated with any open-source code utilized.

The SBOM is a valuable resource for enhancing cybersecurity risk management across the entire Total Product Lifecycle (TPLC) in pre- and post-market activities. During the pre-market phase, medical device manufacturers (MDMs) can leverage SBOM resources to track known software vulnerabilities, thus preventing them from releasing devices with identified cybersecurity risks. In the post-market phase, SBOMs can be utilized by MDMs to supplement vulnerability monitoring processes, aiding in identifying at-risk devices already in circulation.

SBOMs are crucial in improving cybersecurity risk management processes throughout the TPLC, functioning as a primary or secondary resource. The benefits of SBOM implementation extend to the following.

• Swift and comprehensive identification of software components within a device, facilitating proactive risk mitigation measures.
• Enhanced security in software development practices by enabling better-informed decision-making based on comprehensive component insights.
• Increased software composition transparency among vendors and stakeholders, fostering trust and collaboration within the supply chain.

President Biden's executive order tasked the NTIA with establishing a list of minimum required elements for SBOMs, which are now mandatory for software suppliers to provide to the government. These minimum elements are categorized as follows.

• Data Fields: These consist of essential information for each component to be tracked and maintained.
• Automation Support: Organizations are required to offer automation support to ensure that SBOM component data can be generated and interpreted consistently across different entities.
• Practices and Processes: These elements address the necessary steps to integrate the SBOM into an organization's development lifecycle, including how and when to update and deliver the SBOM.

[Recommended Reading: How to Improve Cybersecurity on Your Connected Medical Devices]

Role of SBOMs in Medical Device Risk Management

Cybersecurity is essential for protecting patients, medical professionals, and manufacturers' reputations. Therefore, they must prioritize addressing cybersecurity concerns in medical devices to prevent harm, maintain trust among healthcare providers, and uphold industry standards.

Utilizing SBOM alongside other cybersecurity risk management tools and procedures signified its benefits throughout the Total Product Lifecycle (TPLC). IMDRF N60 mandates SBOM inclusion as part of customer security documentation, enhancing transparency and cybersecurity information disclosure for medical device manufacturers (MDMs) and healthcare providers (HCPs).

SBOM proves invaluable for MDMs and HCPs across various stages of the TPLC. It aids in managing software component end-of-life (EOL) effectively, allowing MDMs to prepare for associated risks and enhance quality control capabilities. Meanwhile, HCPs benefit from increased transparency, enabling them to implement cybersecurity activities tailored to their risk profiles and capabilities.

Providing SBOMs pre-purchase and pre-installation empowers healthcare providers to make informed decisions regarding device deployment and mitigate potential cybersecurity issues associated with outdated software. As SBOM adoption grows, advancements in tooling, services, and cybersecurity maturity will enable HCPs to leverage their full potential, aiding in comprehensive risk assessments.

Moreover, the inclusion of SBOMs in pre-market submissions signals MDMs' commitment to mature cybersecurity practices, facilitating more thorough benefit-risk assessments by regulators. Post-market, SBOM availability assists MDMs, HCPs, and regulators in effectively estimating and addressing threat impacts.

SBOMs serve multiple purposes for various stakeholders:

1. Security Enhancement: Within the healthcare sector, SBOMs offer heightened transparency, empowering medical device manufacturers and healthcare providers to pinpoint vulnerabilities and enhance the monitoring of medical device security. By discerning the software components installed on a device, stakeholders can significantly streamline risk analysis, vulnerability management, and remediation efforts, potentially saving hundreds of hours.

2. Compliance Adherence: Following President Biden's Executive Order, software providers supplying to the federal government must include SBOMs in the federal procurement process, ensuring compliance with regulatory directives.

3. Streamlined Procurement: An increasing trend sees organizations requesting SBOMs during software acquisition and integration processes. Sharing SBOMs fosters greater visibility, transparency, and trust, building stronger relationships between medical device manufacturers and healthcare delivery entities.

Moreover, leveraging SBOMs throughout the total product lifecycle offers an array of benefits:

• Better Component Identification: SBOMs facilitate the identification of software components embedded within a device, contributing to a comprehensive understanding of the device's makeup.
• Improved Vulnerability Detection: SBOMs provide insight into a software application's constituent parts, aiding in identifying suspicious components and vulnerabilities and thereby fortifying security measures.
• Secure Development Practices: SBOMs support more secure software development by equipping developers with critical information about software components and associated risks.
• Efficient Flaw Resolution: With SBOMs in place, addressing security flaws becomes faster and more efficient as stakeholders understand the components involved.
• Better Transparency and Trust: Sharing SBOMs fosters increased transparency among vendors and instills greater trust among consumers, reinforcing the integrity of the supply chain.
• Enhanced Licensing Governance: SBOMs facilitate improved governance over software licenses, ensuring compliance with licensing agreements and regulations.
• Strengthened Supply Chain Resilience: By providing comprehensive insight into software components and dependencies, SBOMs contribute to greater resilience within the supply chain, enabling proactive risk management and mitigation strategies.

Regulations and standards that recommend the use of SBOMs in medical device software

The following regulatory frameworks and standards underscore the critical importance of robust cybersecurity measures, including adopting SBOMs, to ensure medical devices' safety, security, and efficacy throughout their lifecycle.

EO 14028

In response to escalating software supply chain security concerns, US President Biden issued Executive Order (EO) 14028 in 2021. This directive focused on enhancing cybersecurity measures to mitigate risks and bolster national security. It emphasizes the modernization of robust security standards and the necessity for manufacturers and vendors to furnish accurate and comprehensive Software Bills of Materials (SBOMs) for their products.

Under the EO 14028, the Cybersecurity and Infrastructure Security Agency (CISA) has spearheaded efforts to standardize SBOMs. Allan Friedman, a seasoned SBOM advocate, and CISA senior advisor, leads these endeavors at CISA.

FDA Pre-Market Approval Guidelines

The Food and Drug Administration (FDA) plays a pivotal role in safeguarding public health, particularly concerning medical devices. Unlike voluntary standards, FDA regulations carry legal weight, mandating pre-market approval for medical devices sold in the US. To obtain authorization, manufacturers must present evidence of a device's safety and effectiveness.

In response to the rapidly evolving cybersecurity landscape, the FDA published its final draft of medical device cybersecurity guidelines in September 2023. These guidelines underscore six expectations, including adopting a Secure Product Development Framework (SPDF) and SBOMs, ensuring security and safety throughout a medical device's lifecycle.

IEC 62304

The International Electrotechnical Commission (IEC) sets global standards for electrical and electronic technologies, including medical devices. Compliance with IEC 62304 requires detailed documentation of software development processes, including identifying and managing software components and their interactions. An SBOM supports these requirements by offering an accurate list of all third-party and open-source components, their versions, and dependency information.

IEC 62304 is most effective when integrated with complementary standards like ISO 13485, ISO 14971 (for cybersecurity risk management), ISO 81001-5-1:2021 (regulatory standard for medical devices), IEC 60601-1, ISO/IEC 12207, IEC 61508-3, and ISO/IEC 90003.

IMDRF Cyber Working Group

The International Medical Device Regulators Forum (IMDRF), established in 2011, brings together representatives from global medical device regulatory authorities. The IMDRF/CYBER Working Group (WG) issued the Final Guidance document IMDRF/CYBER WG/N60 in March 2020, outlining general principles and best practices for medical device cybersecurity. This guidance focuses on medical devices containing or composed of software and stresses the importance of cybersecurity throughout the Total Product Lifecycle (TPLC), involving all stakeholders.

Key concepts from the N60 standard include:

• Legacy Medical Devices: This section addresses devices vulnerable to cybersecurity threats that cannot be adequately safeguarded through updates. It outlines responsibilities between manufacturers and customers throughout the TPLC.

• Software Bill of Materials (SBOM): Detailed inventory reports identifying each software component by name, origin, version, and build, including commercial, open-source, or off-the-shelf components. IMDRF promotes SBOM usage to help device operators manage assets and risks, collaborate with manufacturers, make informed purchasing decisions, and ensure compatibility with industry best practices.

IMDRF emphasizes:

• Device operators should use SBOMs to collaborate with manufacturers to identify vulnerable software, update requirements, and effectively manage security risks.
• SBOMs should aid purchasers in understanding device components and associated security risks.
• Manufacturers should adhere to industry best practices for SBOM deployment to ensure compatibility.

ISO/IEC 27001

ISO/IEC 27001 is an internationally recognized standard for managing data security, though not explicitly tailored to medical devices. ISO 27001 is relevant to medical devices due to their increasing connectivity and vulnerability to cyber threats. Manufacturers and practitioners within the medical device industry prioritize minimizing patient safety and privacy risks. The standard provides a structured approach to managing information security, particularly crucial when operational data integrity or personal health information confidentiality is compromised.

ISO 27001 offers a comprehensive methodology:

• Systematically assessing an organization's information security risks, accounting for potential threats, vulnerabilities, and impacts.
• Deploying a cohesive suite of information security controls to mitigate risks deemed unacceptable.
• Establishing a robust process to ensure the flexibility and adaptability of information security controls to meet evolving needs continually.

AAMI TIR97

Founded in 1967, the Association for the Advancement of Medical Instrumentation (AAMI) is a nonprofit organization with over 10,000 healthcare technology professionals dedicated to advancing health technology and prioritizing patient safety. AAMI, headquartered in the United States, is accredited by the American National Standards Institute (ANSI) and serves as a voluntary standards organization.

A notable contribution from AAMI is Technical Information Report (TIR) 97, published in 2019, focusing on post-market medical device security. Complementing this, AAMI TIR517 addresses pre-market considerations.

TIR97 guides enhancing post-market medical device security through initiatives like handling security events, utilizing threat intelligence, monitoring vulnerabilities, and responding to incidents. It broadens the definition of "harm" beyond physical harm to include factors like reduced device effectiveness and data security breaches.

Recognized as a "consensus standard" by the US Food and Drug Administration (FDA), TIR 97 aligns with ANSI/AAMI/ISO 14971 standards, emphasizing best practices and patient safety.

SBOM tools, essential for regulatory compliance, offer detailed inventories of software components, aiding in cybersecurity and regulatory adherence. They assist manufacturers in tracking vulnerabilities, enhancing transparency, and aligning with FDA pre-market approval guidelines and IMDRF cybersecurity principles.

SBOM adoption supports implementing industry best practices, such as those outlined in ISO/IEC 27001, by streamlining risk management, strengthening security measures, and facilitating stakeholder collaboration.

Key Features of SBOM Tools for Medical Device Software

SBOM (Software Bill of Materials) tools play a crucial role in supporting the development and maintenance of medical device software by providing transparency, traceability, and security throughout the software supply chain. The following are the most essential features and functionalities that SBOM tools should have to support medical device software development and maintenance effectively:

1. Vulnerability Tracking and Management Capabilities

SBOM tools should have robust capabilities to track and manage vulnerabilities in medical device software components. This includes integration with vulnerability databases to identify known vulnerabilities. The tool should provide features for assessing the severity of vulnerabilities and prioritizing them based on factors such as the potential impact on patient safety and the likelihood of exploitation.

The tool should support vulnerability remediation workflows, enabling teams to track mitigation efforts and implement necessary patches or updates for identified vulnerabilities. It should also provide alerts and notifications to inform stakeholders about newly discovered vulnerabilities and guide proactive risk management strategies.

Moreover, emphasizing the importance of real-time updates, the tool must be online to monitor vulnerabilities continuously. The tool ensures immediate notification of new threats by integrating with the vendor's development pipelines, such as Continuous Integration and Deployment. This is crucial because vulnerability databases are updated regularly, sometimes daily, underscoring the necessity for constant vigilance against emerging risks.

2. Automated Generation and Updating of SBOMs

SBOM tools should automate generating SBOMs for medical device software to ensure accuracy, consistency, and efficiency. Automation features should include scanning software components and dependencies, extracting relevant metadata, and generating comprehensive SBOMs in standard formats such as SPDX (Software Package Data Exchange) or CycloneDX.

Furthermore, the tool should support automatic updates to SBOMs as software components are added, removed, or updated throughout the development and maintenance lifecycle.

Automation reduces the burden on development teams and improves traceability by ensuring that SBOMs are always up-to-date and reflect the current software composition.

3. Compatibility with Medical Device Software Development Environments

SBOM tools should be compatible with common medical device software development environments, including integrated development environments (IDEs) and software configuration management systems.

Seamless integration with development environments enables developers to incorporate SBOM generation and management into their existing workflows without disruption. Compatibility with development environments also facilitates real-time monitoring of software components, allowing teams to identify and address vulnerabilities early in the development process.

4. Support for Standard SBOM Formats 

SBOM tools should support standard formats such as SPDX and CycloneDX to ensure interoperability and compatibility with other tools and systems. Standard formats provide a common language for expressing software component metadata, making sharing SBOMs across stakeholders and organizations easier.

Additionally, adherence to standard formats facilitates regulatory compliance by aligning with industry best practices and guidelines.

5. Integration with Existing Development and Security Tools

SBOM tools should integrate seamlessly with existing development and security tools in the medical device software development lifecycle. Integration with version control systems, issue trackers, and continuous integration/continuous deployment (CI/CD) pipelines enables automated SBOM generation and management as part of the overall development process.

Integration with security scanning tools and vulnerability management platforms enhances visibility into software vulnerabilities and streamlines remediation efforts. Furthermore, integration with regulatory compliance tools facilitates documentation and audit trails to support regulatory submissions and certifications.

6. Scalability and Support for Complex Software Ecosystems Common in Medical Devices

SBOM tools should be scalable to support the complexity of software ecosystems commonly found in medical devices, which may include multiple software layers, dependencies, and third-party components. Scalability ensures the tool can handle large-scale software projects with thousands of components while maintaining performance and reliability.

Support for complex software ecosystems enables comprehensive analysis and tracking of components across the entire medical device product line, including embedded software, firmware, and associated libraries.

SBOM tools can effectively support medical device software development and maintenance by incorporating these features, enhancing transparency, security, and regulatory compliance throughout the product lifecycle.

Top 5 SBOM Tools for Medical Device Software

1. SNYK

SNYK is a developer-first security platform that helps identify and fix vulnerabilities in open-source code and containers. SNYK's focus on developer-friendly security solutions and its extensive support for open-source vulnerability management differentiate it from other tools.

Key Features

• Open-source scanning: SNYK comprehensively scans open-source libraries and dependencies to identify vulnerabilities.
• Vulnerability scanning: It offers vulnerability assessment capabilities to detect and prioritize security issues in software components.
• Producing SBOM in required formats: SNYK supports generating SBOMs in standard formats such as SPDX, providing transparency into software composition.
• Snyk also has a tool called Snyk Code for Static code analysis. It helps developers find and fix security vulnerabilities in their codebase during development. 

Pros

• Easy-to-use interface geared towards developers.
• Seamless integration with popular development tools and CI/CD pipelines.
• Comprehensive vulnerability database and timely updates.
• It seamlessly integrates into existing development workflows, allowing developers to incorporate security checks without disrupting their coding process.
• Snyk Code supports multiple programming languages and frameworks, including JavaScript, Java, Python, Ruby, Go, and more.

Cons

• Limited support for proprietary code analysis.
• Pricing might be prohibitive for small teams or projects.

‍

JFrog

JFrog provides DevOps solutions for artifact management, including repository management, distribution, and security scanning. Its comprehensive DevOps platform offers end-to-end solutions for software delivery pipelines.

Key Features

• Open-source scanning: JFrog Xray scans open-source components for vulnerabilities and license compliance.
• Producing SBOM in required formats: It supports generating SBOMs in various formats, facilitating transparency and compliance.

Pros

• High-performance artifact management capabilities.
• Integration with JFrog's ecosystem of DevOps tools.
• Scalability and support for large-scale deployments.

Cons

• Complexity in setup and configuration may require expertise.
• Cost may be a barrier for smaller organizations.

Checkmarx

Checkmarx is a leading provider of static application security testing (SAST) solutions for identifying security vulnerabilities in source code. Checkmarx's expertise in proprietary static code analysis and its focus on deep security testing differentiate it as a comprehensive solution for secure software development.

Key Features

• Proprietary static code analysis: Checkmarx conducts in-depth analysis of proprietary code to identify security vulnerabilities and compliance issues.
• Vulnerability scanning: It offers comprehensive vulnerability scanning capabilities for open-source and proprietary code.

Pros

• Accurate detection of security vulnerabilities and compliance violations.
• Integration with popular IDEs and CI/CD tools.
• Support for compliance standards such as OWASP Top 10 and CWE/SANS Top 25.

Cons

• The higher learning curve for configuration and customization.
• It may generate false positives, requiring manual review.

‍

SonarQube

SonarQube is an open-source platform for continuously inspecting code quality, security, and maintainability. SonarQube's open-source nature and focus on code quality make it an attractive option for organizations looking for a cost-effective solution with broad language support.

Key Features

• Open-source scanning: SonarQube supports scanning open-source components to detect vulnerabilities and code quality issues.
• Producing SBOM in required formats: It offers plugins/extensions for generating SBOMs in standard formats.

Pros

• Free and open-source, with a large community and ecosystem.
• Extensive support for multiple programming languages.
• Integration with popular CI/CD tools and development environments.

Cons

• Limited support for proprietary code analysis compared to dedicated SAST tools.
• Performance issues with large codebases may occur.
• Vulnerability testing is not part of the free offering.

‍

FOSSA

FOSSA is a platform for managing open-source dependencies, licenses, and compliance in software projects. FOSSA's specialization in open-source dependency management and compliance and its advanced reporting capabilities set it apart as a comprehensive solution for managing software supply chain risks.

Key Features

• Open-source scanning: FOSSA comprehensively scans open-source components to identify vulnerabilities and license compliance issues.
• Producing SBOM in required formats: It supports generating SBOMs in standard formats such as SPDX.

Pros

• Dedicated focus on open-source dependency management and compliance.
• Integration with popular version control systems and CI/CD pipelines.
• Advanced reporting and analytics for compliance management.

Cons

• Limited support for proprietary code analysis.
• Pricing may be a concern for small teams or projects.

‍

Parting Thoughts 

Incorporating the FDA's recommended cybersecurity measures into medical devices is essential for ensuring their safety, effectiveness, and competitive edge. By adhering to these guidelines, MedTech companies and manufacturers can enhance their products' resilience against potential threats.

BioT's cybersecurity package is designed to meet and exceed FDA guidelines, providing our customers with the tools and documentation to ensure their medical devices remain secure, resilient, and compliant with the latest cybersecurity standards.

At BioT, we applaud the FDA’s ratifying cybersecurity due diligence and processes. And, our clients benefit from the fact that BioT has been doing it since 2018 and continues it as a foundational benefit of our Platform as a Service. We have integrated Snyk into our software development lifecycle (SDLC) at the level of Pull Requests and as part of the CI/CD pipeline. Integrating Snyk into our SDLC ensures that security is prioritized from the earliest stages of development, mitigating risks before they reach production environments. Our longstanding commitment to cybersecurity and cutting-edge tools like Snyk underscores our dedication to delivering robust and secure solutions to our clients.

‍