As each hospital has an average of 20,000 device, each vulnerability poses a patient safety risk. The sector's rapid adoption of SBOM use to improve device security, could serve as a model for other sectors. (EDITORIAL USE ONLY) (Photo by Go Nakamura/Getty Images)

A recent Linux report examining the current state of software bills of materials and adoption readiness shows that while healthcare is known to lag in key cybersecurity areas, the sector is leading the charge on SBOM adoption. In fact, researchers say it could be used as an adoption model for other industries.

SBOMs are machine-readable metadata that identifies software packages and their contents, as well as copyrights and license data. Its purpose is to provide transparency into device components, given the heavy reliance on third-party materials to support these products.

The Linux report tackles these issues and takes the pulse of SBOM readiness across enterprises, finding that the healthcare sector provides a strong model for adoption. They surveyed 412 global organizations and found the majority of all sector entities expect to either produce or consume SBOMs this year and are actively engaged in addressing SBOM needs.

SBOM, the healthcare necessity

The use of SBOM best enables transparency into interdependencies across application components for developers, with about half of respondents noting that the use makes it easier to manage license compliance and monitor components for vulnerabilities.

In healthcare, with its overreliance on legacy platforms, industry leaders have long stressed the importance of providing SBOM for all medical devices to reduce challenges with patch management and visibility into vulnerabilities.

For Hilary Carter, vice president of the Linux Foundation, the report revealed encouraging findings for SBOM adoption in the healthcare sector. 

“There’s a sense of urgency to implement cybersecurity best practices in health and safety applications because people's lives depend on the functionality of digital solutions across medical devices, from diagnostics to treatment and beyond,” Carter told SC Media.

As a result, they’re seeing hospitals add SBOM requirements into procurement contracts. A senior FDA policy advisor confirmed in the report that given device vulnerabilities pose patient safety risks, hospitals are leveraging their purchasing power to put SBOM requirements into their contracts.

The Food and Drug Administration’s clear leadership role in both advocating for and adopting SBOM is also adding to the encouraging growth of its use, while creating “a model for the entire healthcare industry worldwide," she added.

As noted, the FDA has been working with stakeholders to determine the best way to achieve these goals, even considering adding SBOM and the capability to update security of product design as part of its premarket submissions. Many medical device and IT stakeholders are also working on how to build, share, and use SBOMs to reduce cyber risk. The recent Biden Administration’s Executive Order also calls on the use of SBOM to bolster cybersecurity. 

Last year, the FDA prioritized delivery of its final SBOM market guidance to combat concerns like these and is expected to require manufacturers of medical devices to include SBOM with their products. In response, healthcare markets have fast-tracked SBOM adoption.

The report shows that the majority of respondents see the transparency SBOMs provide as one of the most important benefits for the healthcare sector. A senior FDA policy adviser explained in the report that in its current state, medical and healthcare sectors lack real insights into software. 

And many don’t have “the skill set to be able to go out and find this information for themselves if they need it.”

“Hospital procurement officers don’t know how to examine an SBOM, the package manager listings, or the open source licensing distribution lists to see if there is risky software that they should not be bringing into their environments,” the adviser continued. “They don’t have the information or the expertise to make those kinds of decisions.”

Additional medical device challenges revolve around vendors not wanting to disclose this information, including manufacturers that may “not want to admit that they’re using outdated pieces of software in some circumstances.” 

The report shows the FDA, however, will not back down from their transparency-push. Specifically, without the information contained in the SBOM, healthcare is struggling to readily make assessments or evaluations to address ongoing security risks. With a formal SBOM, healthcare security leaders can more effectively manage risk.

The road to a SBOM standard

The report notes that other sectors, such as automotive and energy, also have domain-specific needs and are looking for best practices on SBOM adoption. As a result, the healthcare sector can be used as an example on how SBOM compliance evolves in time.

However, the respondents named some clear production concerns, including whether the industry is committed to SBOMs and whether there’s an industry consensus for what an SBOM should contain.

As for the progress, 62% of respondents said the most pressing issue is the need for industry consensus on best practices on integration of production and consumption of SBOMs into software development, which typically occurs in DevOps. But every entity has its own model for DevOps tool chain, processes, and activities, and there’s also a lack of consensus on who owns production and consumption. These variances will continue to hinder adoption.

The second-greatest challenge, as noted by 58%, is the need for a consensus on best practices for integrating SBM production and consumption governance, risk, and compliance policies. The responses again reflect the need for greater conversations around the FDA efforts to bolster use of SBOM.

Software vendor involvement must improve to reduce concerns around their SBOM focus, or lack thereof. As 94% of the report respondents have plans to consume SBOM this year, transparency into the model will be imperative for adoption.

The report also stressed that the recent Biden administration’s executive order “represents more pressure being added from the regulatory government’s side of things on healthcare,” noting that SBOM inclusion may not be a choice in the future. The FDA adviser said in the report the move could “impact on every link in the supply chain.”

“When a manufacturer in healthcare turns around to a supplier and says I’m not going to pay you anymore unless you provide SBOMs, it ends up being an N minus one forcing function of everybody turning around to their own suppliers and saying, because I’m being forced to do this, you’re going to be forced to do this, and this is how it gets done,” the adviser concluded.

The executive order essentially "put a stake in the ground to help stimulate the demand for SBOMs, by requiring SBOMs for software purchased by the government. Although the method slightly varies from healthcare where a regulator imposed SBOM requirements, "the results are similar – genuine end user demand or demand by proxy."