These days a “Software Bill of Materials” is often mentioned in the discussions about security vulnerabilities. In particular, Software Bill of Materials empowers healthcare organizations to identify medical IoT device security vulnerabilities before malicious third-parties exploit them as well as to enhance transparency between IoT device manufacturers & providers. How critical is the use of SBoMs for medical IoT device security? We are going to discuss it in this article.
What Is A Software Bill of Materials? 👨💻
Software is a combination of components, development frameworks, libraries, operating system features, etc. A Software Bill of Materials (SBoM) is a description of the set of components contained within a piece of software. This list of software components in a given device boosts transparency between device manufacturers, buyers, and operators to discover and mitigate security weaknesses and protect medical devices from cyberattacks more efficiently.
SBoMs are very helpful to healthcare organizations when it comes to emergency management, software licensing & cybersecurity certifications. In case a security bug/weakness is identified, SBoM can be used by users or manufacturers to locate the source of the issue fasterr and fix it.
A proof-of-concept report by NTIA (2019) covers the scope, benefits, and use cases of SBOMs in healthcare. The Healthcare SBoM PoC aims to encourage healthcare organizations and medical device manufacturers to create and integrate SBOMs into existing processes to increase software transparency & improve cybersecurity risk management.
Advantages of SBoM Implementation In Healthcare ➕
The use of third-party components puts under threat patient health, privacy, and safety. Therefore, if a published software bill of materials (SBOM) is absent, medical device manufacturers and healthcare providers would probably have had to manually conduct an inventory of systems to identify the software/firmware vulnerabilties, which turns to be very resource-intensive & time-consuming process increasing the time of patches to be released.
If software components are unknown, then it is not clear when to patch the software/firmware & there is no knowledge whether this software is potentially vulnerable to an exploit due to an included component or not.
The main motivation for creating SBOMs in healthcare is an enhanced visibility into security flaws that comes along. SBoM in healthcare is a faster way to detect emerging security vulnerabilities in comparison with long aimless search of IoT devices that might have been affected.
Some Stats/Facts About Medical IoT Device Security 👇
Binare Team has gathered some info strengthening the need to secure medical IoT devices with SBoMs:
Insulin Pump Management Vulnerability Could Lead To Device Takeover
Researchers have identified a high-severity vulnerability in the Omnipod Insulin Management System which could allow a malicious third-party to utilize replay-like techniques to send several programming commands of their choice to a targeted OmniPod device. “After obtaining the nonce-word the attacker can send any of these commands without the consent of the user and without any alerts displaying on the user’s devices”.
Of Medical Imaging Devices Used Unsupported Operating Systems That Make Them Vulnerable To Cyberattacks in 2020
“Critical vulnerabilities in millions of connected devices used in hospital networks could allow attackers to disrupt medical equipment and patient monitors, as well as Internet of Things devices that control systems and equipment throughout facilities, such as lighting and ventilation systems.“
Challenges of SBoM Implementation ⚖️
Each IoT device contains thousands of software components & each healthcare organization has ten-thousands of medical devices on their network. This means that the amount of data presents one of SBoM implementation challenges.
Another big challenge is the lack of the proper tools that are needed to support scalable production and widespread use of SBOMs.
How Can Binare.io Help Healthcare Organizations with SBoMs? 🔧
Binaré’s Component Analysis
Binaré offers medical device manufacturers & healthcare organizations an automated IoT Firmware Analysis and Monitoring platform that is designed to help get greater visibility into and reduce IoT security risks by:
- Analyzing your firmware’s software components and configuration for vulnerabilities: We provide actionable information for remediation and certification.
- Continuous monitoring of the software components in your firmware: When new vulnerabilities or threats emerge, we notify you immediately (via alert or pipeline integration) so you can take action.
Binaré fully supports the SBoM concept, agrees on its importance and, therefore, offers an automated solution that identifies the software components in your IoT device firmware. Binare’s automated solution will help your healthcare organization to cope with huge amount of devices to protect from cyberattacks. Come and try our FREE Demo at https://binare.io/. Let us identify the software components in your firmware and give you a comprehensive report on existing vulnerabilities that will help your business to anticipate emerging risks!
Free icons courtesy of flaticon.com by authors: Freepik, Flat Icons