Healthcare Sector Spearheads SBOM Adoption to Support Cybersecurity

February 01, 2022 - The healthcare sector is spearheading rapid software bill of materials (SBOM) adoption to mitigate growing cybersecurity concerns and support the Food and Drug Administration’s (FDA) push toward medical device security and transparency, a report from the Linux Foundation suggested.

Motivated by President Biden’s executive order on improving the nation’s cybersecurity, organizations across all industries have been increasingly turning to SBOMs to ensure software supply chain security.

The executive order pointed to SBOMs, which provide a list of all software components in a given device, as especially critical to securing US critical infrastructure.

For healthcare, SBOMs can be hugely beneficial for medical device security by allowing device manufacturers, buyers, and operators to identify and mitigate software vulnerabilities.

For its “SBOM Cybersecurity Readiness” report, the Linux Foundation surveyed 412 organizations from a variety of industries to gain insights on SBOM readiness, adoption, and familiarity.

SBOMs are beneficial because they make it easier to monitor vulnerabilities, manage license compliance, and allow developers to understand dependencies across components in an application, survey respondents revealed.

Despite these benefits, many sectors are wary of widespread SBOM adoption due to production and logistical concerns. About 40 percent of the respondents reported being concerned about their respective industries being committed to requiring SBOMs, and others reported concern about a lack of industry consensus on what an SBOM should contain.

The main drive toward SBOM adoption for healthcare appears to stem from the FDA’s SBOM market guidance, which was first released in 2018. The FDA has prioritized providing further market guidance in the near future, the report indicated.

“This guidance is expected to require medical device manufacturers to include SBOM information with their products. So, healthcare markets have fast-tracked SBOMs,” the report noted.

“Other markets, including automotive, manufacturing, and energy, each have domain-specific needs, but are looking to identify and adopt best practices from how SBOM compliance evolves in healthcare.”

Across all surveyed organizations, 47 percent of respondents reported using SBOMs today, and 78 percent of respondents said that they would use SBOMs in 2022. SBOM readiness and consumption is still being operationalized across most sectors, the report continued. Industries will need to form a consensus regarding the methodology and format of SBOMs.

A senior policy advisor at the FDA told the Linux Foundation about some of the benefits of SBOMs and the challenges associated with adoption.

“[H]ospital procurement officers don’t know how to examine an SBOM, the package manager listings, or the open-source licensing distribution lists to see if there is risky software that they should not be bringing into their environments. They don’t have the information or the expertise to make those kinds of decisions,” the FDA advisor explained in the report.

The advisor also noted that medical device manufacturers may be reluctant to disclose this information. They may not want customers to know that they are using legacy software in some cases.

“[It] starts with transparency. Because if you don’t have any of this information, you can’t make any decisions easily, you can’t make any assessments or evaluations easily as well,” the FDA advisor continued.

“But once you have it, once you have an SBOM, the information is there for everyone to see, and you can start consuming SBOMs in formal ways to manage risk far more effectively.”

The FDA’s guidance put additional regulatory pressure on medical device manufacturers to adopt SBOMs. In the future, the policy advisor predicted, SBOMs will be required in order to sell medical products in the US.

With industry consensus and regulatory incentives, SBOMs could become a key component of healthcare cybersecurity efforts.