TRENDING:

3rd Party Risk Management , Application Security , Business Continuity Management / Disaster Recovery

Why SBOMs in the Healthcare IT Supply Chain Are Critical

Curt Miller of the Healthcare Supply Chain Association on Cyber Considerations Marianne Kolbasuk McGee (HealthInfoSec) • January 19, 2022     10 Minutes   
Why SBOMs in the Healthcare IT Supply Chain Are Critical
Curt Miller, executive director of the Healthcare Supply Chain Association's Committee for Healthcare eStandards

Healthcare IT environments are among the most complicated, and so it will become essential for all suppliers to provide and maintain a software bill of materials for their products if they want to remain relevant, says Curt Miller of the Healthcare Supply Chain Association.

"The environments that healthcare entities work in are extremely complex, with thousands, tens of thousands and potentially hundreds of thousands of network connections. If they're not aware of what's connected to the network and what's involved in those connections, that's a potential threat that they can't deal with," says Miller, executive director of HSCA's Committee for Healthcare eStandards.

Software bills of materials, or SBOMs, are critical for helping healthcare provider IT and security teams understand the risks in their environments, he says in an interview with Information Security Media Group.

Also, providing and maintaining SBOMs helps manufacturers, in the event of a vulnerability, identify where the affected software has been used in their devices, enabling them to better communicate and mitigate the situation, Miller says.

SBOM Challenges

But he also says there are hurdles.

"If [manufacturers] haven't been doing this historically, getting the processes and procedures in place to collect all that information initially is challenging and is certainly going to add cost," he says. "This is a risk management situation - providing that information is risk reduction."

Another obstacle goes back to the issue of complexity: Certain healthcare equipment, such as MRIs and other medical imaging machines, "have lots of software and lots of components," Miller says, but adds that "organizations that are cyber-aware on the buy-side are going to insist on [SBOMs], so if the suppliers want to remain pertinent … they are going to need to provide that information, especially if their competitors are providing it."

In the interview (see audio link below photo), Miller also discusses:

As executive director of the Healthcare Supply Chain Association’s Committee for Healthcare eStandards, Miller leads CHeS’ effort to accelerate the adoption, implementation and active use of industrywide data standards for improving efficiencies throughout the healthcare supply chain and HSCA’s healthcare cybersecurity guidance to industry. He is the former CIO of Amerinet, a national healthcare group purchasing organization.

Previous
Healthcare Cybersecurity: Why Resilience Is No Longer Enough
Next
How Medical Device 'Ingredient Labels' Could Bolster Security



Around the Network

Threat Modeling Essentials for Generative AI in Healthcare
Threat Modeling Essentials for Generative AI in Healthcare
Why OT Security Keeps Some Healthcare Leaders Up at Night
Why OT Security Keeps Some Healthcare Leaders Up at Night
What's Behind Disturbing Breach Trends in Healthcare?
What's Behind Disturbing Breach Trends in Healthcare?
Generative AI: Embrace It, But Put Up Guardrails
Generative AI: Embrace It, But Put Up Guardrails
Why Entities Should Review Their Online Tracker Use ASAP
Why Entities Should Review Their Online Tracker Use ASAP
Addressing Security Gaps and Risks Post-M&A in Healthcare
Addressing Security Gaps and Risks Post-M&A in Healthcare
Using AI to Separate the Good Signals From the Bad
Using AI to Separate the Good Signals From the Bad
Critical Considerations for Generative AI Use in Healthcare
Critical Considerations for Generative AI Use in Healthcare
The State of Security Leadership
The State of Security Leadership
Why Connected Devices Are Such a Risk to Outpatient Care
Why Connected Devices Are Such a Risk to Outpatient Care

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.