In August 2013, the FDA made news when it issued cybersecurity guidance for medical devices. But several years earlier, government officials recognized the risk: Soon after the FDA made its announcement, former Vice President Dick Cheney revealed in a “60 Minutes” interview that when his pacemaker was replaced in 2007, his doctors took precautions to make it hack-proof. “It seemed to me to be a bad idea for the vice president of the United States to have a device that maybe somebody … might be able to get into, hack into,” his cardiologist told “60 Minutes.” The fear inspired an episode of the popular TV show “Homeland” in which a fictional vice president succumbs to terrorists who seize control of his pacemaker.
Fast-forward to today. Starting in October, the PATCH Act (Protecting and Transforming Cyber Healthcare Act) empowers the Food and Drug Administration to enforce stricter cybersecurity measures for medical devices. This includes a requirement for manufacturers to create a software bill of materials, or SBOM, to help identify potential security vulnerabilities in the software.
advertisement
An SBOM is a machine-readable list of device software components, including off-the-shelf software that isn’t necessarily designed for safety-critical environments. Many health care organizations believe the SBOM safeguards against device attacks that could jeopardize patient safety or disrupt an entire healthcare network.
Get unlimited access to award-winning journalism and exclusive events.