Using software bill of materials to make medical technology supply chains more resilient

As patient care becomes more tied to software, we propose the software equivalent of an ingredients list on food packaging to keep patients safe.
Published in Healthcare & Nursing
Using software bill of materials to make medical technology supply chains more resilient
Like

This blog post is our 'Behind the Paper' on Building resilient medical technology supply chains with a software bill of materials, which was published on February 23, 2021.

Patient care increasingly revolves around software. While connectivity of medical devices and systems brings many patient benefits, it introduces new risks and leaves patients vulnerable to digital attacks.

Most software is made up of components, many of which come from third parties. A 2017 audit estimated that 96% of commercial software products rely on third-party components. Use of third-party components reduces the cost, time, and resources required to commercialize software. However, a vulnerability in a single component can cause software to buckle in an attack, and thus has potential to upend patient health, privacy, and safety.

A single vulnerability in a single third-party component has the potential to impact individual or classes of devices across innumerable healthcare organizations.
A single vulnerability in a single third-party component has the potential to impact individual or classes of devices across innumerable healthcare organizations.

This manuscript introduces the software bill of materials (SBOM) as a tool to increase transparency of third-party components used in medical technology. An SBOM is the software equivalent of an ingredients list on food packaging. The ingredients list explains what’s inside food (e.g., salt, nuts, and high-fructose corn syrup), allowing individuals with medical conditions, allergies, or preferences to make better buying decisions. Similarly, an SBOM lists every component of software in the finished product. 

By enumerating what’s inside software, the SBOM ensures that anyone who chooses the software product knows its relative hygiene, and anyone who uses the product has a sense of its composition. When a vulnerability is discovered, SBOMs enable patients or organizations to identify technologies that may be impacted and make urgent software updates to mitigate threats.

In our manuscript, we offer a brief history of SBOM, outline the role of SBOM in proactive risk mitigation and resilience, and detail how the SBOM can aid builders, buyers, and operators of software -- as well as regulators -- in protecting patients.

Widespread adoption of SBOM could mean earlier identification of software vulnerabilities, shorter time to remediation, and heightened awareness of outbreaks and their effects. SBOMs also have a role to play in advancing the public’s trust in connected technologies by making software more transparent. A growing number of regulators, builders, and operators are recognizing the value of SBOMs. Our aspiration is that the healthcare community will move towards adopting it in service of patients.

Acknowledgements

Many thanks to my co-authors of Building resilient medical technology supply chains with a software bill of materials - Seth Carmody, Andrea Coravos, Audra Hatch, Janine Medina, Beau Woods, and Joshua Corman. Thanks to Audra Hatch and NTIA Use Cases and State of Practice Working Group for the figure, and OpenIDEO Cybersecurity Visuals and Jeroen de Bakker for the cover photo.

Please sign in or register for FREE

If you are a registered user on Research Communities by Springer Nature, please sign in

Subscribe to the Topic

Health Care
Life Sciences > Health Sciences > Health Care
  • npj Digital Medicine npj Digital Medicine

    An online open-access journal dedicated to publishing research in all aspects of digital medicine, including the clinical application and implementation of digital and mobile technologies, virtual healthcare, and novel applications of artificial intelligence and informatics.

Related Collections

With collections, you can get published faster and increase your visibility.

Harnessing digital health technologies to tackle climate change and promote human health

This collection invites research on the use of digital health technologies that innovate solutions to improve sustainable health care practice and delivery.

Publishing Model: Open Access

Deadline: Apr 30, 2024