Prescribing a Software Bill of Materials
On November 16th, U.S. Congressman Greg Walden (R-OR) sent a letter to the U.S. Department of Health and Human Services (HHS) requesting they convene a sector-wide effort to establish a plan of action for creating, deploying, and leveraging software bill of materials (SBOM) to better protect the nation's healthcare systems and applications against cybersecurity attacks.
Evidence of Disease
The letter was not sent as a knee-jerk reaction to a recent attack. It follows years of successful exploits and research findings showing a proliferation of known vulnerable software components being used across the medical industry. These include:
- Johnson & Johnson insulin pumps
- Pacemaker programming machines
- Hollywood Presbyterian ransomeware
- Bayer Medrad radiology equipment
- St. Jude Medical's implantable cardiac devices
FDA Calls for a New Health Regime
Representative Walden's letter comes just two weeks after Dr. Suzanne Schwartz at the FDA penned a blog warning of cybersecurity risks implanted in medical devices. Dr. Schwartz said that the FDA is encouraging medical device manufacturers to proactively update vulnerable devices in a safe and timely manner. The same blog pointed to the FDA's guidance for managing medical device cybersecurity risks throughout a product's lifecycle -- including early in the software development process -- mimicking DevSecOps practices being adopted by numerous IT organizations.
When the software in medical devices and systems is sick, it requires attention, and we have the opportunity to proactively improve the health of our medical devices and applications.
Pre-existing Conditions. Sonatype research has revealed that 1 in 18 open source components used in the development of software applications has a known security vulnerability. That is, the components being used are sick from the start -- even when healthy versions of the same component are available. By equipping developer's with cybersecurity and other information about the components being used to assemble their applications, we can avoid infecting that software from the earliest moment.
Persistent Hygiene. Overtime, security researchers and nefarious actors find vulnerabilities in software components commonly used by software development teams. Open source and third-party software components that were once known to be good, can go bad overtime as new exploit paths within them are discovered. This is where a software bill of materials (SBOM) can come in handy.
Think of an SBOM as a list of ingredients -- in this case, open source and third-party components -- used to assemble an application. When an ingredient spoils, it can be identified and recalled faster. Use of a SBOM improves the persistent hygiene of our software in medical devices and other environments.
Not the First Act
It is not the first time this year the U.S. Congress and government agencies have taken action on known vulnerabilities being embedded into software applications. In August, Sentors Warner and Gardner, co-chairs of the Senate Cybersecurity Caucus introduced bipartisan legislation to improve the cybersecurity of Internet-connected devices through the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 . Among other requirements, the legislation called IoT devices being sold to the federal government to not contain any known security vulnerabilities. A software bill of materials is required here as well.
Applaud and Support Them
Ransomware can prevent medical care. Vulnerable devices can lead to improper care. Poor hygiene can lead to mass infection.
While some illnesses are unavoidable, good hygiene and healthy development routines can improve our nation's healthcare systems and applications against cybersecurity attacks. I applaud and support the efforts of Congressman Walden, Sentors Warner and Gardner, and the FDA's Dr. Schwartz to improve the health of our healthcare systems and devices. I invite you to show your support for their efforts as well.