Skip to main page content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Access keys NCBI Homepage MyNCBI Homepage Main Content Main Navigation
Review
. 2021 Feb 23;4(1):34.
doi: 10.1038/s41746-021-00403-w.

Building resilient medical technology supply chains with a software bill of materials

Seth Carmody  1   2 Andrea Coravos  3   4   5 Ginny Fahs  6   7 Audra Hatch  8   9 Janine Medina  5   10   8   11 Beau Woods  5   8   12 Joshua Corman  10   8   13   14
Affiliations
Review

Building resilient medical technology supply chains with a software bill of materials

Seth Carmody et al. NPJ Digit Med. .

Abstract

An exploited vulnerability in a single software component of healthcare technology can affect patient care. The risk of including third-party software components in healthcare technologies can be managed, in part, by leveraging a software bill of materials (SBOM). Analogous to an ingredients list on food packaging, an SBOM is a list of all included software components. SBOMs provide a transparency mechanism for securing software product supply chains by enabling faster identification and remediation of vulnerabilities, towards the goal of reducing the feasibility of attacks. SBOMs have the potential to benefit all supply chain stakeholders of medical technologies without significantly increasing software production costs. Increasing transparency unlocks and enables trustworthy, resilient, and safer healthcare technologies for all.

PubMed Disclaimer

Conflict of interest statement

Seth Carmody is the Vice President of Regulatory Strategy at MedCrypt, Founder and CEO of DRX Labs, and former Cybersecurity Program Manager at the US Food and Drug Administration. Andrea Coravos is the CEO of Elektra Labs, Inc. Audra Hatch is the Product Security Specialist at Thermo Fisher Scientific. Josh Corman is the Chief Security Officer and Senior Vice President at PTC, Inc. Ginny Fahs, Audra Hatch, Janine Medina, Beau Woods, and Josh Corman are all unpaid members of I Am The Cavalry.

Figures

Fig. 1
Fig. 1. The impact of vulnerabilities.
A single vulnerability in a single third-party component has the potential to impact individual or classes of devices across innumerable healthcare organizations. Reprinted from NTIA Use Cases and State of Practice Working Group.
Fig. 2
Fig. 2. The software supply chain ecosystem.
The software supply chain ecosystem consists of manufacturers of parts, compound parts, and final goods assembled, and operators. A software bill of materials provides visibility into the contents of software throughout the supply chain. Reprinted from NTIA Use Cases and State of Practice Working Group.
Fig. 3
Fig. 3. Multiple vulnerability pathways.
A single vulnerability has the potential to impact operations via multiple pathways. The same vulnerable third-party component can exist in medical devices and in enterprise systems. Both must be addressed to protect the entire healthcare technology ecosystem. Reprinted from NTIA Use Cases and State of Practice Working Group.
See this image and copyright information in PMC

References

    1. Cyber Security & Infrastructure Security Agency. Critical infrastructure sectors. https://www.dhs.gov/cisa/critical-infrastructure-sectors (2015).
    1. U.S. Department of Health and Human Services. HITECH Act Enforcement Interim Final Rule.https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-en... (2009).
    1. Slotwiner D, et al. HRS Expert Consensus Statement on remote interrogation and monitoring for cardiovascular implantable electronic devices. Heart Rhythm. 2015;12:e69–e100. doi: 10.1016/j.hrthm.2015.05.008. - DOI - PubMed
    1. National Telecommunications and Information Administration (NTIA) use cases and state of practice working group. Roles and Benefits for SBOM Across the Supply Chain.https://www.ntia.gov/files/ntia/publications/ntia_sbom_use_cases_roles_b... (2019).
    1. National Audit Office. Investigation: WannaCry Cyber Attack and the NHS.https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry... (2017).

LinkOut - more resources