Using a Medical Device Cybersecurity Bill of Materials
When medical device makers provide a software bill of materials for components contained in their products, it’s critical to make that voluminous security information actionable for healthcare customers, says Rob Suárez, CISO at medical device maker Becton Dickinson and Co., or BD.
The Food and Drug Administration in draft guidance released in 2018 – which is expected to be updated this year – recommended that medical device makers provide a cybersecurity bill of materials to help healthcare sector customers better manage risks.
But a major potential challenge is in “operationalizing” a bill of materials for medical devices into a “regulatory framework,” Suárez says.
“It’s easy to put together that list [of components]. It’s harder to make it more practical and consumable for a hospital that manages 15 or 20 medical devices per patient bed,” he says in an interview with Information Security Media Group. “There are hospital systems with over 300,000 medical devices in their environment. So managing a software bill of materials for medical devices can get fairly complex.”
Collaboration between industry groups and government agencies, such as the National Telecommunications and Information Administration, in developing a software bill of materials framework could help simplify some of the complexities, he says (see: Analysis: How Biden Executive Order Mirrors FDA’s Cyber Plans).
In this interview (see audio link below photo), Suárez also discusses:
- The significance of BD recently becoming the first medical technology company authorized as a Common Vulnerability and Exposures Numbering Authority by the CVE Program sponsored by the Department of Homeland Security and operated by MITRE Corp.;
- Trends involving security vulnerabilities found in legacy medical devices;
- Other cybersecurity challenges involving medical devices.
Suárez serves as CISO at BD, overseeing cybersecurity across the company’s enterprise, IT and manufacturing systems. He also chairs the cybersecurity steering committee for the Medical Device Innovation Consortium and the cybersecurity working group for the Advanced Medical Technology Association. He was also one of three leaders to co-chair the public-private Healthcare and Public Health Sector Coordinating Council’s Med Tech Cybersecurity Risk Management Task Group.