Datasheet: SBOMs for Medical Device Manufacturers

ActiveState provides a simple, standard way for any MDM to create and track SBOMs over time, as well as identify and remediate vulnerabilities quicker. 

Healthcare SBOM Benefits

The US Food and Drug Administration (FDA) has mandated that MDMs must create and maintain an SBOM for each of their devices starting October 1, 2023 due to growing security concerns associated with critical healthcare infrastructure.

Healthcare environments are all too frequently targeted by ransomware attacks because of their use of legacy platforms, as well as increasing reliance on network-connected medical devices that can all too easily get out of date because they are rarely directly update-able by healthcare staff. After all, it’s not like medical providers can just shut down life-sustaining devices if they get compromised by a cyberattack.

SBOMs can help because they:

• List all the software components that comprise the application, service, API, or runtime environment on which the software in a medical device runs.
• Contain detailed information about each software component (both proprietary and third party), as well as third-party integrations.
• Provide an official record that is machine-readable.

But that means healthcare providers must: 

• Ensure an SBOM requirement is included in every contract for the devices they purchase.
• Employ those with the skillset to make use of SBOMs in order to be able to make informed decisions about the risks of software they deploy.
• Work with device manufacturers to expedite remediation of outdated/vulnerable components as/when identified.

At the same time, MDMs must ensure their devices are not only hardened against cyberattack, but that their firmware and software are easily updatable in the field in order to expedite vulnerability remediation.

ActiveState automatically builds Python (as well as Perl, Ruby and Tcl) runtime environments securely from source code, and programmatically generates a JSON and SPDX SBOM for each of them. ActiveState also maintains a history of each runtime and SBOM generated, allowing MDMs to seamlessly recreate development environments (including native libraries) for devices they may have shipped years ago. 

Generating SBOMs is a necessary step, but rather than just providing them to customers they can also act as a key enforcement mechanism. For example, ActiveState SBOMs can be used to:

• Verify runtime environments inside CI/CD containers to ensure the container is built with all required packages – no more, and no less.
• Verify the absence of severe or critical vulnerabilities.
• Let customers know when shipped vulnerabilities have been verified as “not exploitable” via SBOM metadata (i.e., Vulnerability Exploitability eXchange or VEX metadata).

While these capabilities can help MDMs improve the cybersecurity of the devices they ship, vulnerabilities will inevitably crop up in the field. For this reason, ActiveState also ensures that MDMs can remediate vulnerabilities quicker by:

• Flagging and notifying stakeholders when a vulnerability is detected.
• Updating an extensive catalog of open source components on a regular basis, ensuring that fixed versions are readily available.
• Automatically rebuilding the runtime environment when a fixed version is selected, ready for testing/deployment.

All of which can help reduce Mean Time To Remediation (MTTR) from days or weeks to a matter of hours. 

In the wake of increasing cybersecurity threats and stringent regulatory requirements, healthcare organizations face mounting pressure to fortify their defenses against potential vulnerabilities in medical devices. As reliance on open-source software (OSS) grows within the healthcare sector, understanding and managing dependencies becomes paramount. The recent executive order emphasizing cybersecurity risk management further underscores the urgency for healthcare organizations to prioritize security measures and mitigate known vulnerabilities within their medical devices. ActiveState’s Software Bill of Materials (SBOMs) for Medical Device Manufacturers provides a comprehensive solution tailored to address these challenges, enabling organizations to conduct thorough risk assessments and manage dependencies effectively.

By leveraging SBOMs, healthcare organizations gain visibility into the software components and dependencies used within their medical devices, empowering them to identify and address cybersecurity vulnerabilities proactively. With a clear understanding of their device’s attack surface and associated security risks, organizations can implement robust risk management strategies to safeguard patient data and ensure the integrity and reliability of their medical devices. ActiveState’s tailored SBOM solutions offer a vital tool in bolstering medical device cybersecurity, enabling healthcare organizations to navigate regulatory compliance requirements and strengthen their overall security posture in an increasingly complex threat landscape. In response to the evolving cybersecurity landscape and the critical need for enhanced medical device security, the healthcare industry is increasingly embracing the concept of a Cybersecurity Bill of Materials (CBOM) to ensure comprehensive visibility and management of software components within medical devices.

Learn more about generating SBOMs with ActiveState. Contact us to schedule a demo: