Global Medical Device Podcast powered by Greenlight Guru

Software Bill of Materials (SBOMs) & Cybersecurity in the Medical Device Industry

Jun 1, 2022

Certified CyberSecurity Leader Ken Zalevsky discusses Software Bill of Materials (SBOMs) and cybersecurity in the medical device industry. He highlights the importance of SBOMs, the distinction between safety and security, and the challenges faced by medical device manufacturers in ensuring cybersecurity. The episode delves into regulatory expectations, risk profiles, and the integration of SBOMs into manufacturing processes.

40:00

Creator website

Episode guests

Ken Zalevsky

AI Summary

Highlights

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Software Bill of Materials (SBOM) aids in understanding device software components and cybersecurity risks for end users.

Manufacturers face challenges in creating and updating SBOM for legacy devices, necessitating proactive risk mitigation strategies.

Deep dives

Importance of Software Bill of Materials (SBOM) in Cybersecurity

Software Bill of Materials (SBOM) is essential for providing transparency into the software components of medical devices, aiding in understanding the risk profile of deployed systems. This transparency allows end users to comprehend the technologies running on their networks, safeguarding against potential cybersecurity threats. By integrating SBOM from the design and development phases, device manufacturers can ensure the security of products deployed in healthcare settings, addressing the vulnerability of interconnected medical devices in hospitals.

Challenges of Designing for Safety vs Security in Medical Devices

01:49

The Importance of Software Bill of Materials in Cyber Security

01:07

FDA Expectations for Device Manufacturers

01:14

Introduction

3min

Exploring the Significance of Software Bill of Materials (SBOM) in Medical Devices

3min

Navigating Cybersecurity Challenges in Healthcare Devices

9min

Exploring Risk Profiles and Cybersecurity Challenges in Medical Devices

4min

The Importance of Software Bill of Materials (SBOMs) in the Medical Device Industry

18min

Discussion on Integrating SBOM for Cybersecurity in Medical Devices

2min

In this episode of the Global Medical Device Podcast Jon Speer and Etienne Nichols talk to Ken Zalevsky, Certified CyberSecurity Leader and CEO of Vigilant Ops, about software bill of materials (SBOMs) and cybersecurity in the medical device industry.

Ken has collaborated with the FDA, U.S. Department of Homeland Security (DHS), and National Telecommunications and Information Administration (NTIA) on cybersecurity initiatives, including cyber simulation exercises, industry guidance documents, and SBOMs. Ken’s written work advises medical device manufacturers on cybersecurity best practices and coaches hospitals on handling record numbers of breaches.

Some of the highlights of this episode include:

Ken defines an SBOM as a list of software components that compose any system, application, or device. In health care, medical devices are computer-based systems with software components.
Engineers may know all about software and security, but not with medical devices and SBOMs. Medical device manufacturers are familiar with safety and efficacy in a regulated industry and may need to overcome software challenges.
Most medical device software teams don’t build everything that is in a medical device. Scope appropriately because third-party components may involve risk.
Safety is not the same as security, but both should be included early in the product life cycle. Cybersecurity standards include authorization, authentication, and encryption versus safety recalls, use cases, and vulnerabilities.
SBOMs are not evergreen documents. They need to be maintained and updated regularly to act, react, and take action.
Health care is the primary target for hackers over other verticals and the response time in health care has always been the slowest. Today, it takes about 160 days for a healthcare organization to discover a security breach.

Memorable quotes from Ken Zalevsky:

“A detailed list of those software components is really the essence of an SBOM.”

“At the heart of it, the idea and the purpose of the SBOM is to give that transparency into software components that are utilized in medical devices.”

“Most software companies, especially medical device software teams, don’t build everything that’s in the device. They take components from other third parties and there’s risk associated with those components.”

“You can’t blame it all on the hospital because the hospital has no idea what’s running in those devices.”

“Providing that transparency, understanding what you’re deploying on your network, just is common sense.”