The last two years saw a staggering 74% surge in cyber-attacks targeting healthcare organizations, while assaults on the software supply chain have increased to an average of 610% annually since 2020. These attacks threaten the functionality and reliability of medical devices and their underlying software, erasing trust in the devices and their manufacturers and damaging brand reputation.
We all know how connected medical devices rely on software and often interface with platforms like computers, or mobile apps for data exchange, exposing them to diverse security vulnerabilities. Unfortunately, many medical device software suppliers are ill-equipped to tackle these security challenges effectively. Hence, the US Department of Health and Human Services (HHS) and the Food and Drug Administration (FDA) have introduced new regulations to increase medical device software suppliers' cybersecurity preparedness.
On May 12, 2021, President Biden signed the Executive Order On Improving the Nation’s Cybersecurity which included a mandate requiring every vendor supplying software to the federal government to furnish a software bill of materials (SBOM) alongside their product.
This directive received significant attention, particularly considering the federal government's substantial annual expenditure of nearly $100 billion on IT services. Emphasis is placed on the SBOM concept and cybersecurity as a whole.
Nowhere are these concerns more critical than in the medical device industry, where the development of safe and secure software directly impacts lives. Today, let's explore the SBOM and its pivotal role in medical device manufacturing and cybersecurity and finally discuss some top SBOM tools for medical device software.
The National Telecommunications and Information Administration (NTIA) defines an SBOM as "a formal, machine-readable inventory of software components and dependencies, along with information about those components and their hierarchical relationships."
An SBOM is a comprehensive roster of all components utilized within a particular software application. Typically, this is a combination of proprietary and open-source code, with the SBOM including details such as licenses, versions, and vulnerabilities associated with any open-source code utilized.
The SBOM is a valuable resource for enhancing cybersecurity risk management across the entire Total Product Lifecycle (TPLC) in pre- and post-market activities. During the pre-market phase, medical device manufacturers (MDMs) can leverage SBOM resources to track known software vulnerabilities, thus preventing them from releasing devices with identified cybersecurity risks. In the post-market phase, SBOMs can be utilized by MDMs to supplement vulnerability monitoring processes, aiding in identifying at-risk devices already in circulation.
SBOMs are crucial in improving cybersecurity risk management processes throughout the TPLC, functioning as a primary or secondary resource. The benefits of SBOM implementation extend to the following.
President Biden's executive order tasked the NTIA with establishing a list of minimum required elements for SBOMs, which are now mandatory for software suppliers to provide to the government. These minimum elements are categorized as follows.
[Recommended Reading: How to Improve Cybersecurity on Your Connected Medical Devices]
Cybersecurity is essential for protecting patients, medical professionals, and manufacturers' reputations. Therefore, they must prioritize addressing cybersecurity concerns in medical devices to prevent harm, maintain trust among healthcare providers, and uphold industry standards.
Utilizing SBOM alongside other cybersecurity risk management tools and procedures signified its benefits throughout the Total Product Lifecycle (TPLC). IMDRF N60 mandates SBOM inclusion as part of customer security documentation, enhancing transparency and cybersecurity information disclosure for medical device manufacturers (MDMs) and healthcare providers (HCPs).
SBOM proves invaluable for MDMs and HCPs across various stages of the TPLC. It aids in managing software component end-of-life (EOL) effectively, allowing MDMs to prepare for associated risks and enhance quality control capabilities. Meanwhile, HCPs benefit from increased transparency, enabling them to implement cybersecurity activities tailored to their risk profiles and capabilities.
Providing SBOMs pre-purchase and pre-installation empowers healthcare providers to make informed decisions regarding device deployment and mitigate potential cybersecurity issues associated with outdated software. As SBOM adoption grows, advancements in tooling, services, and cybersecurity maturity will enable HCPs to leverage their full potential, aiding in comprehensive risk assessments.
Moreover, the inclusion of SBOMs in pre-market submissions signals MDMs' commitment to mature cybersecurity practices, facilitating more thorough benefit-risk assessments by regulators. Post-market, SBOM availability assists MDMs, HCPs, and regulators in effectively estimating and addressing threat impacts.
1. Security Enhancement: Within the healthcare sector, SBOMs offer heightened transparency, empowering medical device manufacturers and healthcare providers to pinpoint vulnerabilities and enhance the monitoring of medical device security. By discerning the software components installed on a device, stakeholders can significantly streamline risk analysis, vulnerability management, and remediation efforts, potentially saving hundreds of hours.
2. Compliance Adherence: Following President Biden's Executive Order, software providers supplying to the federal government must include SBOMs in the federal procurement process, ensuring compliance with regulatory directives.
3. Streamlined Procurement: An increasing trend sees organizations requesting SBOMs during software acquisition and integration processes. Sharing SBOMs fosters greater visibility, transparency, and trust, building stronger relationships between medical device manufacturers and healthcare delivery entities.
Moreover, leveraging SBOMs throughout the total product lifecycle offers an array of benefits:
The following regulatory frameworks and standards underscore the critical importance of robust cybersecurity measures, including adopting SBOMs, to ensure medical devices' safety, security, and efficacy throughout their lifecycle.
EO 14028
In response to escalating software supply chain security concerns, US President Biden issued Executive Order (EO) 14028 in 2021. This directive focused on enhancing cybersecurity measures to mitigate risks and bolster national security. It emphasizes the modernization of robust security standards and the necessity for manufacturers and vendors to furnish accurate and comprehensive Software Bills of Materials (SBOMs) for their products.
Under the EO 14028, the Cybersecurity and Infrastructure Security Agency (CISA) has spearheaded efforts to standardize SBOMs. Allan Friedman, a seasoned SBOM advocate, and CISA senior advisor, leads these endeavors at CISA.
FDA Pre-Market Approval Guidelines
The Food and Drug Administration (FDA) plays a pivotal role in safeguarding public health, particularly concerning medical devices. Unlike voluntary standards, FDA regulations carry legal weight, mandating pre-market approval for medical devices sold in the US. To obtain authorization, manufacturers must present evidence of a device's safety and effectiveness.
In response to the rapidly evolving cybersecurity landscape, the FDA published its final draft of medical device cybersecurity guidelines in September 2023. These guidelines underscore six expectations, including adopting a Secure Product Development Framework (SPDF) and SBOMs, ensuring security and safety throughout a medical device's lifecycle.
IEC 62304
The International Electrotechnical Commission (IEC) sets global standards for electrical and electronic technologies, including medical devices. Compliance with IEC 62304 requires detailed documentation of software development processes, including identifying and managing software components and their interactions. An SBOM supports these requirements by offering an accurate list of all third-party and open-source components, their versions, and dependency information.
IEC 62304 is most effective when integrated with complementary standards like ISO 13485, ISO 14971 (for cybersecurity risk management), ISO 81001-5-1:2021 (regulatory standard for medical devices), IEC 60601-1, ISO/IEC 12207, IEC 61508-3, and ISO/IEC 90003.
IMDRF Cyber Working Group
The International Medical Device Regulators Forum (IMDRF), established in 2011, brings together representatives from global medical device regulatory authorities. The IMDRF/CYBER Working Group (WG) issued the Final Guidance document IMDRF/CYBER WG/N60 in March 2020, outlining general principles and best practices for medical device cybersecurity. This guidance focuses on medical devices containing or composed of software and stresses the importance of cybersecurity throughout the Total Product Lifecycle (TPLC), involving all stakeholders.
Key concepts from the N60 standard include:
IMDRF emphasizes:
ISO/IEC 27001
ISO/IEC 27001 is an internationally recognized standard for managing data security, though not explicitly tailored to medical devices. ISO 27001 is relevant to medical devices due to their increasing connectivity and vulnerability to cyber threats. Manufacturers and practitioners within the medical device industry prioritize minimizing patient safety and privacy risks. The standard provides a structured approach to managing information security, particularly crucial when operational data integrity or personal health information confidentiality is compromised.
ISO 27001 offers a comprehensive methodology:
AAMI TIR97
Founded in 1967, the Association for the Advancement of Medical Instrumentation (AAMI) is a nonprofit organization with over 10,000 healthcare technology professionals dedicated to advancing health technology and prioritizing patient safety. AAMI, headquartered in the United States, is accredited by the American National Standards Institute (ANSI) and serves as a voluntary standards organization.
A notable contribution from AAMI is Technical Information Report (TIR) 97, published in 2019, focusing on post-market medical device security. Complementing this, AAMI TIR517 addresses pre-market considerations.
TIR97 guides enhancing post-market medical device security through initiatives like handling security events, utilizing threat intelligence, monitoring vulnerabilities, and responding to incidents. It broadens the definition of "harm" beyond physical harm to include factors like reduced device effectiveness and data security breaches.
Recognized as a "consensus standard" by the US Food and Drug Administration (FDA), TIR 97 aligns with ANSI/AAMI/ISO 14971 standards, emphasizing best practices and patient safety.
SBOM tools, essential for regulatory compliance, offer detailed inventories of software components, aiding in cybersecurity and regulatory adherence. They assist manufacturers in tracking vulnerabilities, enhancing transparency, and aligning with FDA pre-market approval guidelines and IMDRF cybersecurity principles.
SBOM adoption supports implementing industry best practices, such as those outlined in ISO/IEC 27001, by streamlining risk management, strengthening security measures, and facilitating stakeholder collaboration.
SBOM (Software Bill of Materials) tools play a crucial role in supporting the development and maintenance of medical device software by providing transparency, traceability, and security throughout the software supply chain. The following are the most essential features and functionalities that SBOM tools should have to support medical device software development and maintenance effectively:
1. Vulnerability Tracking and Management Capabilities
SBOM tools should have robust capabilities to track and manage vulnerabilities in medical device software components. This includes integration with vulnerability databases to identify known vulnerabilities. The tool should provide features for assessing the severity of vulnerabilities and prioritizing them based on factors such as the potential impact on patient safety and the likelihood of exploitation.
The tool should support vulnerability remediation workflows, enabling teams to track mitigation efforts and implement necessary patches or updates for identified vulnerabilities. It should also provide alerts and notifications to inform stakeholders about newly discovered vulnerabilities and guide proactive risk management strategies.
Moreover, emphasizing the importance of real-time updates, the tool must be online to monitor vulnerabilities continuously. The tool ensures immediate notification of new threats by integrating with the vendor's development pipelines, such as Continuous Integration and Deployment. This is crucial because vulnerability databases are updated regularly, sometimes daily, underscoring the necessity for constant vigilance against emerging risks.
2. Automated Generation and Updating of SBOMs
SBOM tools should automate generating SBOMs for medical device software to ensure accuracy, consistency, and efficiency. Automation features should include scanning software components and dependencies, extracting relevant metadata, and generating comprehensive SBOMs in standard formats such as SPDX (Software Package Data Exchange) or CycloneDX.
Furthermore, the tool should support automatic updates to SBOMs as software components are added, removed, or updated throughout the development and maintenance lifecycle.
Automation reduces the burden on development teams and improves traceability by ensuring that SBOMs are always up-to-date and reflect the current software composition.
3. Compatibility with Medical Device Software Development Environments
SBOM tools should be compatible with common medical device software development environments, including integrated development environments (IDEs) and software configuration management systems.
Seamless integration with development environments enables developers to incorporate SBOM generation and management into their existing workflows without disruption. Compatibility with development environments also facilitates real-time monitoring of software components, allowing teams to identify and address vulnerabilities early in the development process.
4. Support for Standard SBOM Formats
SBOM tools should support standard formats such as SPDX and CycloneDX to ensure interoperability and compatibility with other tools and systems. Standard formats provide a common language for expressing software component metadata, making sharing SBOMs across stakeholders and organizations easier.
Additionally, adherence to standard formats facilitates regulatory compliance by aligning with industry best practices and guidelines.
5. Integration with Existing Development and Security Tools
SBOM tools should integrate seamlessly with existing development and security tools in the medical device software development lifecycle. Integration with version control systems, issue trackers, and continuous integration/continuous deployment (CI/CD) pipelines enables automated SBOM generation and management as part of the overall development process.
Integration with security scanning tools and vulnerability management platforms enhances visibility into software vulnerabilities and streamlines remediation efforts. Furthermore, integration with regulatory compliance tools facilitates documentation and audit trails to support regulatory submissions and certifications.
6. Scalability and Support for Complex Software Ecosystems Common in Medical Devices
SBOM tools should be scalable to support the complexity of software ecosystems commonly found in medical devices, which may include multiple software layers, dependencies, and third-party components. Scalability ensures the tool can handle large-scale software projects with thousands of components while maintaining performance and reliability.
Support for complex software ecosystems enables comprehensive analysis and tracking of components across the entire medical device product line, including embedded software, firmware, and associated libraries.
SBOM tools can effectively support medical device software development and maintenance by incorporating these features, enhancing transparency, security, and regulatory compliance throughout the product lifecycle.
1. SNYK
SNYK is a developer-first security platform that helps identify and fix vulnerabilities in open-source code and containers. SNYK's focus on developer-friendly security solutions and its extensive support for open-source vulnerability management differentiate it from other tools.
Key Features
Pros
Cons
JFrog
JFrog provides DevOps solutions for artifact management, including repository management, distribution, and security scanning. Its comprehensive DevOps platform offers end-to-end solutions for software delivery pipelines.
Key Features
Pros
Cons
Checkmarx
Checkmarx is a leading provider of static application security testing (SAST) solutions for identifying security vulnerabilities in source code. Checkmarx's expertise in proprietary static code analysis and its focus on deep security testing differentiate it as a comprehensive solution for secure software development.
Key Features
Pros
Cons
SonarQube
SonarQube is an open-source platform for continuously inspecting code quality, security, and maintainability. SonarQube's open-source nature and focus on code quality make it an attractive option for organizations looking for a cost-effective solution with broad language support.
Key Features
Pros
Cons
FOSSA
FOSSA is a platform for managing open-source dependencies, licenses, and compliance in software projects. FOSSA's specialization in open-source dependency management and compliance and its advanced reporting capabilities set it apart as a comprehensive solution for managing software supply chain risks.
Key Features
Pros
Cons
Incorporating the FDA's recommended cybersecurity measures into medical devices is essential for ensuring their safety, effectiveness, and competitive edge. By adhering to these guidelines, MedTech companies and manufacturers can enhance their products' resilience against potential threats.
BioT's cybersecurity package is designed to meet and exceed FDA guidelines, providing our customers with the tools and documentation to ensure their medical devices remain secure, resilient, and compliant with the latest cybersecurity standards.
At BioT, we applaud the FDA’s ratifying cybersecurity due diligence and processes. And, our clients benefit from the fact that BioT has been doing it since 2018 and continues it as a foundational benefit of our Platform as a Service. We have integrated Snyk into our software development lifecycle (SDLC) at the level of Pull Requests and as part of the CI/CD pipeline. Integrating Snyk into our SDLC ensures that security is prioritized from the earliest stages of development, mitigating risks before they reach production environments. Our longstanding commitment to cybersecurity and cutting-edge tools like Snyk underscores our dedication to delivering robust and secure solutions to our clients.