The Importance of SBOM and CVE in Medical

An image of , News, The Importance of SBOM and CVE in Medical

What does cybersecurity mean for a medical device? This is an interesting and complex topic to find out. 

One of the most important documents about the subject is indeed “Principles and Practices for Medical Device Cybersecurity” from IMDRF and available here: Principles and Practices for Medical Device Cybersecurity ( IMDRF stands for International Medical Device Regulators Forum and is a group of medical devices regulators whose aim is to harmonize and converge medical device regulations.

The purpose of this document is to provide general principles and best practices to facilitate international regulatory convergence on medical devices cybersecurity.

For medical devices, security is undoubtedly a key concern. Indeed, the effect of a compromised device can be catastrophic such as diagnostic errors, wrong therapies up to impossibility to access treatment.

The increasing threat of Cybersecurity has pushed companies to quickly react and, in many cases, perform security checks at the end of the development phase. However, the reality is that security must be applied to the total product life cycle (TPLC). TPLC is a concept widely used by the US Food and Drug Administration (FDA) and other regulatory bodies and should be followed by medical device companies to shepherd a product from concept to disposal. For a review of cybersecurity requirements for medical devices sold in the US, watch the webinars from my colleagues Ryan Zheng and Robert Krantz, which are available here. According to the IMDRF, in the Pre-market phase the manufacturer should consider how to securely update the device when it is affected by a vulnerability, but of course this is not enough because it is crucial to identify which devices are really affected and need an update. Such traceability can be achieved only by making use of the database of software components (SBOM) of the device.

SBOM (Software Bill of Materials) is key, not only to enable the backward traceability but it is also important for the healthcare providers as they can manage their assets, assess the risks, and finally deploy the needed countermeasures to maintain the safety integrity of the device.

SBOM also influences healthcare purchasing decisions: buyers having visibility of the content of a device will be able to assess the potential security risks (e.g., the presence of a component close to its end of life) and therefore better quantify the associated value.

The reasons above drove the IMDRF to clearly state in their document that, in addition to the usual user instructions and technical information, the manufacturer should always include the SBOM of the device.

Healthcare providers, who are typically the end customers of medical devices, usually use them for much longer than the original planned and communicated lifetime. In such scenarios, SBOM is extremely important because it allows risk assessments based on the lifetime of software components: devices including components near to or in end of life may be a source of vulnerability due to lack of maintenance.

This is the reason why, to ensure robust reliability and sustainable commercialization, manufacturers should consider adopting long life components and/or managed services which extend the support of open-source components.

We must also consider that according to the FDA (Postmarket Management of Cybersecurity in Medical Devices – Guidance for Industry and Food and Drug Administration Staff (, manufacturers must report vulnerabilities to the FDA itself no later than 30 days after learning of the vulnerability; in addition they must, no later than 60 days after learning of the vulnerability, fix it, validate the change, and distribute the deployable fix to their customers.

This means that all the CVEs which may affect a device should be notified within a month and fixed in two.

CVEs have drastically increased since 2017, and moreover the trend looks exponential. In 2022 there were 25059 CVEs (c.f. Metrics | CVE), around 2100 per month. This means that a device manufacturer must check each month if one or more of 2100 CVEs is/are affecting its devices. The CVSS (Common Vulnerability Scoring System) provides a way to capture the principal characteristics of a vulnerability and produces a numerical score reflecting its severity, which is not always a correct index for assessing a vulnerability. CVSS and its associated rubric were developed for enterprise information technology systems and do not adequately reflect the clinical environment and potential patient safety impacts. The MITRE Corporation and FDA, developed a rubric that provides guidance for how an analyst can utilize CVSS as part of a risk assessment for a medical device [Rubric for Applying CVSS to Medical Devices | MITRE]. There are many cases in which a manufacturer needs to create its own rubric and policies because of the requirements of their end customers.

Filtering and checking CVEs is, therefore, a tedious and error prone task that cannot be done manually, and since it is not the core business of the medical manufacturers it should be better outsourced to avoid any impact on the R&D delaying the deliveries and/or neglecting innovation.

Wind River offers highly automated managed services for Linux and VxWorks which can relieve medical manufacturers from the heavy duty of keeping pace with all the newly published CVEs. It relies on automated SBOM generation and can filter out all the non-relevant CVEs. A team of highly skilled experts can then fix or mitigate the affected vulnerability collaborating closely with manufacturer R&D engineering and security experts.

To learn more about how Wind River can help, feel free to contact us. 

An image of , News, The Importance of SBOM and CVE in Medical

Diego Buffa

Experienced Field Application Engineer with a demonstrated history of working in the computer software industry. Professional skilled in Embedded Systems, Open Source and DevOps.

AI alignment: teaching tech human language

Daniel Langkilde • 05th February 2024

However, Embodied AI refers to robots, virtual assistants or other intelligent systems that can interact with and learn from a physical environment. In order to do this, they’re built with sensors that can gather data from their surroundings, with this they also have AI systems that help them analyse data they collect, and ultimately learn...

CARMA announces acquisition of mmi Analytics

Jason Weekes • 01st February 2024

CARMA announces acquisition of mmi Analytics, expanding expertise in Beauty, Fashion, and Lifestyle sectors The combined organisation is set to redefine the landscape of media intelligence, providing unparalleled expertise and comprehensive insights for PR professional and marketers in the exciting world of beauty, fashion and lifestyle.

Managing Private Content Exposure Risk in 2024

Tim Freestone • 31st January 2024

Managing the privacy and compliance of sensitive content communications is getting more and more difficult for businesses. Cybercriminals continue to evolve their approaches, making it harder than ever to identify, stop, and mitigate the damages of malicious attacks. But, what are the key issues for IT admins to look out for in 2024?

Revolutionizing Ground Warfare Environment with Software-Enabled Armored Vehicles

Wind River • 31st January 2024

Armoured vehicles which are purpose-built for mission-critical operations are reliant on control systems that provide deterministic behaviour to meet hard real-time requirements, deliver extreme reliability, and meet rigorous security requirements against evolving threats. Wind River® has the partners and the expertise, a proven real-time operating system (RTOS), software lifecycle management techniques, and an extensive track...

The need to prove environmental accountability

Matt Tormollen • 31st January 2024

We are currently in the midst of one of the most consequential energy transitions since records began. The increasing availability of clean electrons has motivated businesses in the UK and beyond to think green. And for good reason. Being environmentally conscious attracts customers, appeases regulators, retains staff, and can even gain handouts from government. The...

Fuelling Innovation in Aftermarket

Jim Monaghan • 31st January 2024

One section of the motor trade is benefitting from the cost-of-living crisis: with consumers keeping their cars for longer, independent repairers are in huge demand. But they are also under pressure. Older cars need more repairs. They require more replacement parts, tyres and fluids. With car owners looking for value and a fast turn-around, independents...

The return of the five-day office week

Virgin Media • 25th January 2024

Virgin Media O2 Business has today published its inaugural Annual Movers Index, revealing four in ten companies are back to the office full time, despite widespread travel delays and disruptions With 2023 cementing the cost-of-living crisis, second hand shopping and public transport use surged as Brits sought to save money Using aggregated and anonymised UK...