In this episode of the Global Medical Device Podcast Jon Speer and Etienne Nichols talk to Ken Zalevsky, Certified CyberSecurity Leader and CEO of Vigilant Ops, about software bill of materials (SBOMs) and cybersecurity in the medical device industry.

Ken has collaborated with the FDA, U.S. Department of Homeland Security (DHS), and National Telecommunications and Information Administration (NTIA) on cybersecurity initiatives, including cyber simulation exercises, industry guidance documents, and SBOMs. Ken’s written work advises medical device manufacturers on cybersecurity best practices and coaches hospitals on handling record numbers of breaches.

Some of the highlights of this episode include:

• Ken defines an SBOM as a list of software components that compose any system, application, or device. In health care, medical devices are computer-based systems with software components.
• Engineers may know all about software and security, but not with medical devices and SBOMs. Medical device manufacturers are familiar with safety and efficacy in a regulated industry and may need to overcome software challenges.
• Most medical device software teams don’t build everything that is in a medical device. Scope appropriately because third-party components may involve risk.
• Safety is not the same as security, but both should be included early in the product life cycle. Cybersecurity standards include authorization, authentication, and encryption versus safety recalls, use cases, and vulnerabilities.
• SBOMs are not evergreen documents. They need to be maintained and updated regularly to act, react, and take action.
• Health care is the primary target for hackers over other verticals and the response time in health care has always been the slowest. Today, it takes about 160 days for a healthcare organization to discover a security breach. 

Memorable quotes from Ken Zalevsky:

“A detailed list of those software components is really the essence of an SBOM.”

“At the heart of it, the idea and the purpose of the SBOM is to give that transparency into software components that are utilized in medical devices.”

“Most software companies, especially medical device software teams, don’t build everything that’s in the device. They take components from other third parties and there’s risk associated with those components.”

“You can’t blame it all on the hospital because the hospital has no idea what’s running in those devices.”

“Providing that transparency, understanding what you’re deploying on your network, just is common sense.”

Links:

Medical Device Security Made Easy - InSight Platform by Vigilant Ops

SBOM - National Telecommunications and Information Administration (NTIA)

NTIA - Minimum Elements For a Software Bill of Materials

FDA - Guidance Documents (Medical Devices and Radiation-Emitting Products)

FDA - Medical Device Overview

AAMI TIR57: Principles for medical device security - Risk management

The Greenlight Guru True Quality Virtual Summit

Greenlight Guru YouTube Channel

MedTech True Quality Stories Podcast

Greenlight Guru Academy

Greenlight Guru