- August 06, 2021
The concept of an SBOM has been under discussion for years within the federal government. FDA in 2018 issued a Medical Device Safety Action Plan noting the agency was considering requiring firms to develop SBOMs as part of premarket submissions and make them available to customers and users “so that they can better manage their networked assets and be aware of which devices in their inventory or use may be subject to vulnerabilities.” AdvaMed in formal comments to that plan said it was worried about the lack of proper controls around the sharing and maintenance of SBOMs, warning that if the documents were stored in a publicly available central database it could allow cybercriminals to learn which software is operating within a device and expose patients to potential harm. AdvaMed’s Rothstein did not raise these concerns at the end of May during the FDLI conference.
Biden’s executive order last week made the case that understanding the software supply chain and using SBOMs to analyze known cybersecurity vulnerabilities are crucial to managing the growing risk from sophisticated and malicious hackers.
Cyber experts contend that once a vulnerability is discovered the widespread availability of SBOMs will make it easier for government and the private sector to know if they are affected. Currently, mitigating cybersecurity vulnerabilities and determining who is impacted is particularly difficult due to the lack of visibility into who is using the affected software components.
SBOM is “kind of like an ingredient label for the software components that are in the medical device,” AdvaMed’s Rothstein said. “The industry will obviously be working with FDA in terms of how it submits or produces an SBOM during the premarket phase of the product review process.”
Rothstein noted that currently most of the medical device industry’s customers require SBOMs and manufacturers are producing the documents so that hospitals and healthcare providers can make them a part of their cybersecurity strategies. However, Rothstein said Biden’s executive order does raise some issues related to SBOM standardization.
The medical device lobbying group wants to see uniform standards for the electronically readable format “to ensure that we create a single type of SBOM,” according to Rothstein. “While it’s good news that the administration and the federal government at large is moving in the direction of requiring SBOMs, we as an industry are focused on right now making sure that it’s done so in a ‘least burdensome’ type manner so we’re more consistent and harmonized across the government and within the ecosystem.”
AdvaMed has been working with the Department of Commerce’s National Telecommunications and Information Administration, which in 2018 launched a multi-stakeholder initiative to improve software component transparency across several industries, including medtech, by standardizing the process for sharing the data so users can better understand what exactly is running on their networks. “As the Department of Commerce implements the executive order and looks at creating criteria and requirements around the provisions of SBOMs,” Rothstein said the agency should “do so in a way that doesn’t conflict or create friction with the processes that FDA would expect of the medical device industry that we’re otherwise already working on.
REFERENCE: MedTechDive; 21 MAY 2021; Greg Slabodkin