Medical Device SBOMs: Attention to Details MatterKen Hoyme, Longtime Device Security Leader, on Critical Considerations
It's not enough for medical device makers to provide a software bill of materials - there also needs to be close attention paid to how vulnerabilities in components are communicated and managed, says Ken Hoyme, retired product security leader at medical device maker Boston Scientific.
"A software bill of materials at least exposes what the [device's] underlining third-party software is and for end users and manufacturers to understand when they might have a vulnerable software component in one of their devices," says Hoyme, who recently joined the advisory board of security firm MedCrypt.
The industry faces a range of important issues that factor into how helpful these SBOMs are for healthcare delivery organizations, he says. Depending on its size, a healthcare entity might have in its environments hundreds of thousands of devices of different types and versions from hundreds of various vendors, he says.
"Clearly, across a big healthcare system, it can take several months to get a patch deployed. And you might have devices of multiple versions out there. Those could have multiple SBOM versions for a relevant 2,500 devices from 500 suppliers, for example" Hoyme says.
"The volume of data and how as an industry we manage that effectively is critical."
Most healthcare delivery organizations do not have the bandwidth to go to hundreds of websites to download thousands of SBOMs every week to see what's updated, he adds.
Other considerations further complicate matters, he says. For instance, even if a device uses software that is later discovered to have certain vulnerabilities, that does not necessarily mean the software function is even enabled in the device, Hoyme says.
"When WannaCry hit in 2017, the ransomware exploited a Microsoft networking standard … but a lot of devices did not use that networking standard. So, if you do not have that networking function enabled, you were not vulnerable to WannaCry, and yet there was a patch that permanently fixed it," he says.
"Saying you had a vulnerable version of the Windows operating system didn’t tell you whether or not that particular protocol was in use and whether the device would be vulnerable."
In the interview (see audio link below photo), Hoyme also discusses:
- The importance of medical device threat modeling;
- Legacy medical device security challenges;
- Promising recent advancements in medical device cybersecurity.
Hoyme has nearly 40 years of experience in the design of regulated safety-critical secure systems. He recently retired from Boston Scientific, where he established the companywide product security program, incorporating security requirements across their quality system. Hoyme has been active in many cross-industry initiatives, including at the Health Information Sharing and Analysis Center, the Association for the Advancement of Medical Instrumentation, and the Medical Device Innovation Consortium.