Strike Graph security compliance blog

Beyond SBOMs: Building a secure future for medical devices

Written by Stephen Ferrell, CISA, CRISC | Aug 26, 2024 4:21:40 PM

The increasing reliance on connected devices in healthcare has made medical device cybersecurity a top priority. A recent Forbes Technology Council article by Christian Espinosa highlights a crucial development: the FDA's mandate for Software Bill of Materials (SBOM) in medical device submissions. This is a positive step, but it's only one piece of the cybersecurity puzzle for manufacturers.

The Power of SBOMs

Espinosa rightly emphasizes the game-changing role of SBOMs in premarket submissions. They provide a comprehensive view of all software components, dependencies, and metadata within a medical device. In an industry reliant on open-source and third-party code, this transparency across the entire software supply chain is critical.

Benefits of SBOMs

  • Proactive identification of vulnerabilities
  • Streamlined maintenance of updates and patches
  • Improved stakeholder knowledge of all components

 

Choosing the Right Tools

The article discusses tools like CycloneDX, Syft, Fossa, and MergeBase for SBOM generation. Each has strengths and weaknesses, requiring careful selection based on specific needs. However, as Espinosa warns, these tools alone aren't enough.

 

Beyond SBOMs: A Holistic Approach

Building on the SBOM foundation requires additional practices:

  • Identify and Document SOUP (Software of Unknown Provenance): Understand and mitigate risks associated with third-party components.
  • Treat SBOMs as Living Documents: Regularly update them to reflect software changes.
  • Comprehensive Reporting and Documentation: Leave no detail unrecorded.
  • Continuous Monitoring: Proactively detect and address vulnerabilities.

Elevating Cybersecurity Efforts

For a truly robust approach, integrate FDA and EU medical device cybersecurity guidance, taken the together the guidances identify of 50 discrete controls for consideration:

  • FDA Premarket Guidance: Emphasizes "security by design" with:
    • Threat modeling during design
    • Security controls for data confidentiality, integrity, and availability
    • Proper device authentication and authorization mechanisms
    • Thorough security testing before market release
  • FDA Postmarket Guidance: Focuses on ongoing risk management:
    • Coordinated vulnerability disclosure policy
    • Ongoing risk assessment and management processes
    • Timely development and deployment of patches and updates
    • Effective communication with stakeholders regarding cybersecurity issues
  • EU Medical Device Cybersecurity Guidance: Aligns with FDA recommendations but adds unique aspects:
    • Lifecycle approach to cybersecurity, from conception to decommissioning
    • Protection of personal data in line with GDPR requirements
    • Collaboration between manufacturers, healthcare providers, and cybersecurity researchers

 

Building a Comprehensive Framework

By integrating SBOM practices with these guidelines, SaMD providers can create a robust cybersecurity framework. This holistic approach not only ensures compliance but also strengthens the overall security posture of medical devices.

Key Elements of a Comprehensive Framework

  • Regular security assessments and penetration testing
  • Strong encryption for data at rest and in transit
  • Developed incident response and recovery plans
  • Ongoing cybersecurity training for staff
  • Information sharing with industry peers and security researchers

 

Conclusion

The FDA's SBOM mandate is a positive step, but it's just the beginning. By incorporating the full spectrum of FDA and EU guidance and implementing a comprehensive cybersecurity framework, manufacturers can better protect devices, users, and ultimately, patient safety. As healthcare embraces digital technologies, robust cybersecurity measures become crucial for building trust, ensuring patient safety, and contributing to a resilient healthcare infrastructure.