• Sustainability
  • Projects
  • Circularity
  • Technology
  • Awards
    • Top Products 2023
  • Living Lab
  • Archives
    • ConnectedWorld
    • Constructech
What's Hot

Building a Smart City

March 28, 2023

Driving Digital Twins Forward

March 28, 2023

Fact of the Day – 3/28/2023

March 28, 2023
Get your Copy Today
Facebook Twitter Instagram
Facebook Twitter Instagram
Connected WorldConnected World
  • Sustainability
  • Projects
  • Circularity
  • Technology
  • Awards
    • Top Products 2023
  • Living Lab
  • Archives
    • ConnectedWorld
    • Constructech
Connected WorldConnected World
Home » SBOMs and Four Pillars for Managing Medical Device Software Security
Expert Opinions

SBOMs and Four Pillars for Managing Medical Device Software Security

Updated:July 5, 2022No Comments4 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr WhatsApp Email
Share
Facebook Twitter LinkedIn WhatsApp Pinterest Email

Medical devices, which are more complex than ever, face new security challenges. Especially since they are connected to the outside world for remote access, and monitoring, or used in home care applications. These risks increase the stakes in terms of product safety liability for manufacturers as security vulnerabilities can impact human lives.

Unlike enterprise and government technology where cybersecurity has been a mainstay for years, product security is a relatively new discipline for medical device manufacturers. Meanwhile, the use of third-party software, including open-source components, and libraries, in connected devices further raises the ante, making software supply-chain security increasingly critical.

Even though threat assessment and mitigation of third-party components is still an emerging discipline, some early medical device specific standards, such as ISO/IEC 62304, do provide guidance for defining risk and quality driven processes for medical device software development.

The FDA also recently issued new draft guidance for medical device manufacturers on how to address cybersecurity risk for premarket approval of equipment. Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, includes guidance for generating a SBOM (software bill of materials). This draft guidance mandates that manufacturers provide SBOMs identifying third-party and open-source components, and proving they are capable of updating and patching security issues in the premarket submission of their devices.

Given these challenges, a new approach to medical device software development is required to keep pace with market challenges and lower the liability associated with product safety and security. Here are four pillars for managing the medical device software supply chain.

  • Design with a security-first philosophy: Treating security as a primary requirement alongside safety and functionality is crucial in developing secure medical devices. Security can’t be just added on later.
  • Shift left security: The best time to detect security vulnerabilities is as soon as developers write new code (or test cases) and before it’s submitted to a build or software control system. Finding and fixing vulnerabilities as early as possible in the SDLC (software design life cycle) reduces risk, costs, and delays.
  • Assess third-party code software: Most projects require the use of open source, commercial, and SOUP (software of unknown pedigree). Perform software composition analysis of all third-party software to create SBOMs, detect for security vulnerabilities and enable remediation, and risk reduction.
  • Continuous audits: Auditing software under development on a continuous basis to ensure quality, security, and safety at all stages is critical to success. Ensuring that a product meets audit standards before shipping illustrates proper due diligence and risk management required for FDA premarket approval.

While this list seems like a tall order to adopt in the short term; software supply chain security is a long-term problem. Start small and implement these best practices gradually. Near term, application security testing and analysis tools can improve security of newly developed code and help catalog the risks present in third-party software already in use.

Medical device software developers need to adapt to changing security dynamics. The horse has left the barn, and the use of third-party software and open-source code in embedded medical applications is now the norm. Therefore, a proactive risk management process to ensure the safety and security of the software supply chain is required. 

Implementing these four security pillars at every stage of the SDLC will help ensure you diagnose problems early and cure them before they reach an advanced stage that can result in product delays or recalls.

Vince Arneja is the chief product officer at GrammaTech, Maryland. He has more than 20 years of management experience in product strategy spanning application, cloud, mobile, endpoint, and network security. Arneja also serves as an advisor to various cybersecurity companies.

Peter Winston is the founder and CEO of ICS (Integrated Computer Solutions), Massachusetts. ICS creates embedded touchscreen, voice and gesture-powered smart devices and products – everything from high-performance medical devices, in vitro diagnostic instruments, and scientific software to embedded air traffic control systems, smart agri-business equipment, and in-vehicle infotainment systems for Tier-1 automakers.

Medical Device Cyber Security Medical Device Liability Medical Device Security SBOMs
Share. Facebook Twitter Pinterest LinkedIn Tumblr WhatsApp Email

Related Posts

Communicating towards Net Zero

February 2, 2023

Electric Vehicles: A New Era for Consumers

September 1, 2022

All about Energy in Your Smart Home

September 1, 2022

Invisible Light

July 31, 2022

Sustainability, KNX, And Smart Homes

July 31, 2022

Better Water and Air Quality in Our Homes

May 31, 2022
Add A Comment

Comments are closed.

Mending Manufacturing
Get Your Copy Today
ABOUT US

Connected World works to expand quality of life and influence a sustainable future through digital transformation, innovation, and create opportunities all around.

We’re accepting new partnerships and radio guests right now.

Email Us: info@connectedworld.com

4611 Hard Scrabble Road
Suite 109-276
Columbia, SC  29229

 

Our Picks
  • Building a Smart City
  • Driving Digital Twins Forward
  • Fact of the Day – 3/28/2023
Specialty Publishing Media

Questions? Please contact us at info@connectedworld.com

Press Room

Privacy Policy

Media Kit

Facebook Twitter Instagram YouTube LinkedIn
© 2023 Connected World.

Type above and press Enter to search. Press Esc to cancel.

Go to mobile version