3rd Party Risk Management , Application Security , Business Continuity Management / Disaster Recovery

Why SBOMs in the Healthcare IT Supply Chain Are Critical

Curt Miller of the Healthcare Supply Chain Association on Cyber Considerations
Why SBOMs in the Healthcare IT Supply Chain Are Critical
Curt Miller, executive director of the Healthcare Supply Chain Association's Committee for Healthcare eStandards

Healthcare IT environments are among the most complicated, and so it will become essential for all suppliers to provide and maintain a software bill of materials for their products if they want to remain relevant, says Curt Miller of the Healthcare Supply Chain Association.

"The environments that healthcare entities work in are extremely complex, with thousands, tens of thousands and potentially hundreds of thousands of network connections. If they're not aware of what's connected to the network and what's involved in those connections, that's a potential threat that they can't deal with," says Miller, executive director of HSCA's Committee for Healthcare eStandards.

Software bills of materials, or SBOMs, are critical for helping healthcare provider IT and security teams understand the risks in their environments, he says in an interview with Information Security Media Group.

Also, providing and maintaining SBOMs helps manufacturers, in the event of a vulnerability, identify where the affected software has been used in their devices, enabling them to better communicate and mitigate the situation, Miller says.

SBOM Challenges

But he also says there are hurdles.

"If [manufacturers] haven't been doing this historically, getting the processes and procedures in place to collect all that information initially is challenging and is certainly going to add cost," he says. "This is a risk management situation - providing that information is risk reduction."

Another obstacle goes back to the issue of complexity: Certain healthcare equipment, such as MRIs and other medical imaging machines, "have lots of software and lots of components," Miller says, but adds that "organizations that are cyber-aware on the buy-side are going to insist on [SBOMs], so if the suppliers want to remain pertinent … they are going to need to provide that information, especially if their competitors are providing it."

In the interview (see audio link below photo), Miller also discusses:

As executive director of the Healthcare Supply Chain Association’s Committee for Healthcare eStandards, Miller leads CHeS’ effort to accelerate the adoption, implementation and active use of industrywide data standards for improving efficiencies throughout the healthcare supply chain and HSCA’s healthcare cybersecurity guidance to industry. He is the former CIO of Amerinet, a national healthcare group purchasing organization.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.