SBOM Management 101: Mitigating The Risk of Medical Device Software

SBOM Management 101: Mitigating The Risk of Medical Device Software

Shiv Ghai, Co-Founder & CTO of Ultralight Labs

Apr 15, 2024

Sign up to receive blog updates

Sign up to receive blog updates

Sign up to receive blog updates

Hackers’ Paradise

In February, Change Healthcare—one of the largest US clearinghouses for processing patient-provider claims and payments—faced a cyberattack that caused massive outages and delays across the US healthcare ecosystem. Thousands of patients were forced to pay for medications out of pocket. Hundreds of independent providers and pharmacies, many of which operate with just a few weeks of cash buffer, faced insolvency. Tens of millions of dollars have been paid to the criminal group responsible for the hack, yet Change’s issues remain ongoing and much of their processing network is still down.

If it wasn’t already clear, this has bat-signaled that healthcare infrastructure is great business for hackers, given the sensitivity of the digital information at hand and the continued vulnerabilities among healthcare technology broadly.

For medical device companies which are increasingly coming online and leveraging software components, this is a major point of concern that is top of mind for the FDA and other regulatory bodies.

The Risk of Medical Device Software

The lion’s share of new medical devices, and iterations of old medical devices, increasingly leverage software components.

In these products, many, many standalone pieces of software are pulled into a final “device”. Many of these components are considered off-the-shelf (OTS) software per the FDA, or software of unknown provenance (SOUP) per IEC 62304 (the consensus guidance for building medical device software). The use of OTS or SOUP requires a well-documented analysis that determines the risk associated with the software (both patient risk and cybersecurity risk) and a specification of how the software used will be validated.

In 2023, the FDA released its final guidance for Cybersecurity in Medical Devices. It outlines, among many things, the addition of a new deliverable which serves as the foundation of cybersecurity risk mitigation: a software bill of materials, or SBOM.

So, what is an SBOM?

Demystifying SBOMs in Medical Devices

An SBOM is essentially a detailed inventory that lists all the software components and libraries that are part of a medical device's software ecosystem. This includes open-source and proprietary components, dependencies, and the relationships between them. SBOMs play a critical role in identifying vulnerabilities, managing licenses, and ensuring compliance with regulatory standards.

Regulatory Landscape

The regulatory framework for medical device software is increasingly stringent, reflecting the growing concerns over cybersecurity risks. Regulatory bodies around the world, including the U.S. Food and Drug Administration (FDA) and the European Union's Medical Device Regulation (MDR), have underscored the importance of SBOMs in ensuring the cybersecurity of medical devices. These regulations mandate that manufacturers must provide detailed SBOMs as part of their premarket submissions and maintain them throughout the device's lifecycle.

Best Practices for SBOM Management

1. Continuous Monitoring and Updating

Cybersecurity is a moving target; new vulnerabilities emerge daily. It's crucial that SBOMs are not viewed as static documents but as living entities that require regular updates and revisions to reflect the current risk landscape.

2. Comprehensive Coverage

Ensure your SBOM includes every software component, no matter how minor it seems. Even the smallest piece of software can be a potential entry point for cyber threats.

3. Integration with Vulnerability Management Systems

Integrating SBOM management with vulnerability tracking systems allows for real-time alerts and updates on new vulnerabilities affecting components listed in your SBOM. This proactive approach can significantly mitigate potential risks.

4. Stakeholder Collaboration

SBOM management should be a collaborative effort involving cybersecurity teams, software developers, compliance officers, and supply chain partners. Sharing SBOMs with stakeholders can foster transparency and collective responsibility in addressing cybersecurity challenges.

5. Risk-based Approach

When an SBOM item or dependency is critical to patient safety or critical to the functioning of the device, it should be proactively monitored and its risks should proactively mitigated.

Teams can and do, of course, create manual processes so that SBOMs can be generated and managed. This sometimes involves a multi-step process:

  1. Generate SBOMs in a machine readable format in order to understand their dependency tree for each project/repository. This should include information like Manufacturer/Developer of the dependency and license information.

  2. Build a vulnerability report to supplement the SBOM, which includes each dependency and its vulnerability exposure according to multiple data sets (e.g. NIST, Github Advisories Database).

  3. Document risk assessments, criticality, and purpose of use for each dependency

This multi-step process for managing SBOMs is time-intensive, since it involves a crossteam effort across quality, regulatory, and engineering. This often leads to teams retroactive management of SBOMs, and thus a major risk of software releases with vulnerabilities. This can lead to major issues like data breaches and noncompliance.

SBOM Management with Ultralight

Ultralight streamlines the process of managing SBOMs by giving power back to quality and regulatory teams, while easing the burden on engineering teams. It enables one-click generation of SBOMs, automatic vulnerability scanning, and report building.

Ultralight helps teams manage SBOMs in this rapidly-changing regulatory environment. We generate SBOMs for you in a single click after you’ve set up your GitHub repository integration. We also help with Vulnerability Management, by automatically scanning your SBOMs so that you can proactively understand your overall cybersecurity risk posture and issue any corrective actions.

At Ultralight, we believe the regulatory requirements set forth by the FDA are a crucial step to ensuring cybersecurity for the most vulnerable and critical populations. With the right tools, you can simplify complex regulatory compliance, and we are helping our customers do just that.

Interested in joining the dozens of medical device software teams modernizing their compliance stack with Ultralight? Reach out or schedule a demo.



Social media

© 2024 Ultralight Labs



Social media

© 2024 Ultralight Labs