Using software bill of materials to make medical technology supply chains more resilient

As patient care becomes more tied to software, we propose the software equivalent of an ingredients list on food packaging to keep patients safe.

Like Comment
Read the paper

This blog post is our 'Behind the Paper' on Building resilient medical technology supply chains with a software bill of materials, which was published on February 23, 2021.

Patient care increasingly revolves around software. While connectivity of medical devices and systems brings many patient benefits, it introduces new risks and leaves patients vulnerable to digital attacks.

Most software is made up of components, many of which come from third parties. A 2017 audit estimated that 96% of commercial software products rely on third-party components. Use of third-party components reduces the cost, time, and resources required to commercialize software. However, a vulnerability in a single component can cause software to buckle in an attack, and thus has potential to upend patient health, privacy, and safety.

A single vulnerability in a single third-party component has the potential to impact individual or classes of devices across innumerable healthcare organizations.
A single vulnerability in a single third-party component has the potential to impact individual or classes of devices across innumerable healthcare organizations.

This manuscript introduces the software bill of materials (SBOM) as a tool to increase transparency of third-party components used in medical technology. An SBOM is the software equivalent of an ingredients list on food packaging. The ingredients list explains what’s inside food (e.g., salt, nuts, and high-fructose corn syrup), allowing individuals with medical conditions, allergies, or preferences to make better buying decisions. Similarly, an SBOM lists every component of software in the finished product. 

By enumerating what’s inside software, the SBOM ensures that anyone who chooses the software product knows its relative hygiene, and anyone who uses the product has a sense of its composition. When a vulnerability is discovered, SBOMs enable patients or organizations to identify technologies that may be impacted and make urgent software updates to mitigate threats.

In our manuscript, we offer a brief history of SBOM, outline the role of SBOM in proactive risk mitigation and resilience, and detail how the SBOM can aid builders, buyers, and operators of software -- as well as regulators -- in protecting patients.

Widespread adoption of SBOM could mean earlier identification of software vulnerabilities, shorter time to remediation, and heightened awareness of outbreaks and their effects. SBOMs also have a role to play in advancing the public’s trust in connected technologies by making software more transparent. A growing number of regulators, builders, and operators are recognizing the value of SBOMs. Our aspiration is that the healthcare community will move towards adopting it in service of patients.

Acknowledgements

Many thanks to my co-authors of Building resilient medical technology supply chains with a software bill of materials - Seth Carmody, Andrea Coravos, Audra Hatch, Janine Medina, Beau Woods, and Joshua Corman. Thanks to Audra Hatch and NTIA Use Cases and State of Practice Working Group for the figure, and OpenIDEO Cybersecurity Visuals and Jeroen de Bakker for the cover photo.

Ginny Fahs

Tech Policy Fellow, The Aspen Institute