An SBOM by itself is impotent and ineffective if it is not constantly scrutinized by an automated, proactive process with instant visibility and vigilance in mitigating and resolving any component-level security weaknesses across the life cycle of the hardware/software device.

RIEGELSVILLE, Pa. (PRWEB) March 27, 2023

Cyberattacks in the U.S. healthcare sector have more than doubled from 2016 to 2021, compromising the use of medical devices and protected health information of nearly 42 million people nationwide.(1) Cybercriminals place a high premium on the healthcare industry’s data infrastructure because even relatively small healthcare providers can provide a one-stop-shop for data mining hundreds of thousands of patients’ sensitive information.(2) The HIPAA Journal’s research statistics reveal that hacking is now the leading cause of healthcare data breaches.(3) On December 29, 2022, the bipartisan $1.7 trillion Omnibus Appropriations Act was signed into law. A measure in the new bill provides the FDA with the authority to require medical device manufacturers to take additional cybersecurity protection measures, such as the inclusion of a Software Bill of Materials (SBOM) with each device brought to market through future pre-market submissions.(4) As of March 22, 2023, what were once cybersecurity control guidelines are now enforceable requirements. Walt Szablowski, Founder and Executive Chairman of Eracent, which has provided complete visibility into its large enterprise clients’ networks for over two decades, suggests, “These new cybersecurity regulations tend to have a cascade effect that may sneak up on some unsuspecting entities in and around the aggregate medical-industrial complex. The good news is that Eracent can help catch everyone up to speed and is offering free access to Eracent’s Supply Chain Risk Management application (SBOM Management Application) to hospitals, healthcare facilities, and medical device software developers.”

It’s getting harder to underestimate the evil genius of the modern-day cybercriminal. The FBI has been sounding the alarm regarding the vulnerabilities of ‘unpatched’ or outdated medical devices that run on legacy software and those with substandard security features. Medical devices, such as insulin pumps, defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps, can be appropriated by malicious hackers who could endanger a patient’s health by changing a monitor’s reading or administering a drug overdose. A skilled hacker can exploit unsecured devices, interfere with a medical facility’s operational activity, and compromise data confidentiality and integrity.(5)

An SBOM essentially contains a listing of items that make up the ingredients of a hardware/software device. It comes into play when tracking security vulnerabilities and updates for each software component. The SBOM is also used for the verification and management of software licenses. Szablowski elaborates, “An SBOM by itself is impotent and ineffective if it is not constantly scrutinized by an automated, proactive process with instant visibility and vigilance in mitigating and resolving any component-level security weaknesses across the life cycle of the hardware/software device. Eracent’s cutting-edge Intelligent Cybersecurity Platform (ICSP)™ Cyber Supply Chain Risk Management™ (C-SCRM) module is unique in that it provides an additional, critical level of protection to minimize software-based security risks.”

The ICSP C-SCRM recognizes obsolete components that can increase security risks; it offers up-to-the-minute protection by independently scanning the itemized details within the SBOM and matching each listed component to the most up-to-date vulnerability data using Eracent’s IT-Pedia® IT Product Data Library — a single, authoritative source for essential data concerning millions of IT hardware and software products. Medical device software developers frequently utilize open-source software (OSS) to produce products faster to hasten their release into the market. OSS is pre-coded, real-world-tested, and often free to use. An astounding 92% of applications contain open-source software.(6) Standard vulnerability analysis tools do not scan individual OSS components within applications.

Simple tools that enable the creation and analysis of SBOMs are not enough. Eracent’s ICSP C-SCRM system takes a consolidated, proactive management approach — structure, automation, and reporting. The healthcare industry needs to appreciate the risks that may exist in the medical device software they use, whether open-source or proprietary. And medical device manufacturers need to acknowledge the potential risks inherent in the products they offer. Healthcare stakeholders must rigorously fortify their cybersecurity with the enhanced level of protection Eracent’s ICSP C-SCRM system delivers.

Szablowski states, “Eracent’s client base includes some of the world’s largest corporate and government networks and IT environments. We are happy to get all healthcare sectors affected by the government’s new medical device cybersecurity regulations on the road to compliance with the FDA’s new SBOM mandates. We are now offering medical providers and device manufacturers unprecedented free access to our SBOM supply chain risk End-Point Discovery and End-Point Analysis software solutions.”

About Eracent

Walt Szablowski is the Founder and Executive Chairman of Eracent and serves as Chair of Eracent’s subsidiaries (Eracent SP ZOO, Warsaw, Poland; Eracent Private LTD in Bangalore, India; and Eracent Brazil). Eracent helps its customers meet the challenges of managing IT network assets, software licenses, and cybersecurity in today’s complex and evolving IT environments. Eracent’s enterprise clients save significantly on their annual software spend, reduce their audit and security risks, and establish more efficient asset management processes. Eracent’s client base includes some of the world’s largest corporate and government networks and IT environments. Dozens of Fortune 500 companies rely on Eracent solutions to manage and protect their networks. Visit https://eracent.com/.

References:

1. Half of ransomware attacks have disrupted healthcare delivery, JAMA report finds. Healthcare IT News. (2023, January 10). Retrieved March 21, 2023, from healthcareitnews.com/news/half-ransomware-attacks-have-disrupted-healthcare-delivery-jama-report-finds
2. HIPAA Journal. (2022, October 14). Editorial: Why do criminals target medical records. HIPAA Journal. Retrieved March 21, 2023, from http://www.hipaajournal.com/why-do-criminals-target-medical-records/#:~:text=Healthcare%20records%20are%20so%20valuable,credit%20cards%20in%20victims’%20names

3. Healthcare Data Breach Statistics. HIPAA Journal. (2023, March 8). Retrieved March 21, 2023, from hipaajournal.com/healthcare-data-breach-statistics/
4. Erica Abshez Moran, A. L. C. (2023, February 20). The omnibus appropriations act grants FDA formal authority to require cybersecurity action by medical device manufacturers. Faegre Drinker on Products. Retrieved March 21, 2023, from faegredrinkeronproducts.com/2023/02/the-omnibus-appropriations-act-grants-fda-formal-authority-to-require-cybersecurity-action-by-medical-device-manufacturers/
5. FBI warns of vulnerabilities in medical devices following several CISA alerts. (2022, September 12). Retrieved March 21, 2023, from therecord.media/fbi-warns-of-vulnerabilities-in-medical-devices-following-several-cisa-alerts/
6. Cybellum. (2022, May 11). Our medical devices’ open source problem – what are the risks? BleepingComputer. Retrieved March 21, 2023, from bleepingcomputer.com/news/security/our-medical-devices-open-source-problem-what-are-the-risks/

Share article on social media or email: