In today’s world of Internet of Things (IoT), the possibility for connection is endless: cars, watches, light bulbs, HVAC, refrigerators—even humans and the devices monitoring and controlling their health can be connected. Medical devices such as insulin pumps and continuous glucose monitors, for example, are increasingly connected to smartphones via Bluetooth. During the pandemic, lockdowns heightened the need to treat people at home, so the number of internet-connected medical devices grew dramatically.
But this increased connectivity can present risks as well as benefits. Connected insulin pumps require online accounts that use the patient’s personal information, which could be compromised. Insulin pumps also have the potential of hackers gaining unauthorized access. Because medical devices are connected through a network, there is even a risk of malware. Because of such risks, cybersecurity for connected medical devices has become extremely important.
Effective March 29, 2023, the FDA started enforcing cybersecurity requirements for medical devices, including a Cybersecurity Bill of Materials (CBOM). A CBOM requires medical device manufacturers to self-attest to the accuracy of a comprehensive list of software and hardware components used in their medical devices, including third-party software and open source components. A Software Bill of Materials (SBOM) is one aspect of the CBOM. With medical devices, the need for complete and accurate SBOMs is especially important.
The National Telecommunications and Information Administration (NTIA) defines minimum elements for an SBOM, and the FDA requires additional elements including support level, support end date, and known security vulnerabilities. Because open source projects do not have support levels or support end dates, these additional elements largely apply to the third-party/commercial components used within an application.
Companies across all industries are scrambling to create compliant SBOMs, and some turning to third parties for help. Third-party vendors providing SBOMs that meets the FDA requirements will need to completely and accurately identify both open source and third-party/commercial components.
Black Duck has provided robust and accurate SBOMs for its customers for over 16 years. Its sophisticated tools allow for snippet-level identification of components, and its sophisticated string search algorithms can identify all third-party/commercial components.
Black Duck also offers a SBOM-as-a-service solution that delivers a complete and accurate SBOM in standard formats (SPDX, CDX) that meet the FDA’s requirements. Black Duck can also validate that an SBOM generated internally or by one of its software supply chain partners meets FDA requirements.