Why SBOMs in the Healthcare IT Supply Chain Are CriticalCurt Miller of the Healthcare Supply Chain Association on Cyber Considerations
Healthcare IT environments are among the most complicated, and so it will become essential for all suppliers to provide and maintain a software bill of materials for their products if they want to remain relevant, says Curt Miller of the Healthcare Supply Chain Association.
"The environments that healthcare entities work in are extremely complex, with thousands, tens of thousands and potentially hundreds of thousands of network connections. If they're not aware of what's connected to the network and what's involved in those connections, that's a potential threat that they can't deal with," says Miller, executive director of HSCA's Committee for Healthcare eStandards.
Software bills of materials, or SBOMs, are critical for helping healthcare provider IT and security teams understand the risks in their environments, he says in an interview with Information Security Media Group.
Also, providing and maintaining SBOMs helps manufacturers, in the event of a vulnerability, identify where the affected software has been used in their devices, enabling them to better communicate and mitigate the situation, Miller says.
But he also says there are hurdles.
"If [manufacturers] haven't been doing this historically, getting the processes and procedures in place to collect all that information initially is challenging and is certainly going to add cost," he says. "This is a risk management situation - providing that information is risk reduction."
Another obstacle goes back to the issue of complexity: Certain healthcare equipment, such as MRIs and other medical imaging machines, "have lots of software and lots of components," Miller says, but adds that "organizations that are cyber-aware on the buy-side are going to insist on [SBOMs], so if the suppliers want to remain pertinent … they are going to need to provide that information, especially if their competitors are providing it."
In the interview (see audio link below photo), Miller also discusses:
- Top cybersecurity gaps in the healthcare IT ecosystem;
- Advice for battling ransomware attacks;
- Details of recent HSCA guidance documents, including cybersecurity considerations for the healthcare supply chain and recommendations for medical device cybersecurity.
As executive director of the Healthcare Supply Chain Association’s Committee for Healthcare eStandards, Miller leads CHeS’ effort to accelerate the adoption, implementation and active use of industrywide data standards for improving efficiencies throughout the healthcare supply chain and HSCA’s healthcare cybersecurity guidance to industry. He is the former CIO of Amerinet, a national healthcare group purchasing organization.