Category

Blog

Why 2021 is Shaping Up to be the Year of the SBOM

The software bill of materials (SBOM) is on its way to being recognized as a key security document and the primary enabler of software transparency across all industries. In healthcare, FDA (US Food and Drug Administration) included the SBOM in the first draft of their Premarket Guidance in 2018, but they referred to it as a CBOM (Cybersecurity Bill of Materials). Today, SBOM, which is a detailed list of software components found in a product or system, has become the more accepted terminology.

As more cybersecurity breaches are announced, almost daily it seems, business leaders, industry experts, and regulatory agencies are looking to SBOM as an important element of a sound cybersecurity strategy. The SBOM is gaining so much momentum, that some have found it necessary to caution that the SBOM won’t solve all security woes, and that it is just one piece of the larger cybersecurity puzzle, albeit an important piece.

SBOM references have appeared across a wide variety of security-based content, including the recent news of an imminent Biden administration executive order. The order aims at strengthening the nation’s security posture and includes reference to the SBOM. From a regulatory perspective, FDA has prioritized the 2021 release of the final version their Premarket Guidance, mentioned above, which recommends that medical device manufacturers provide an SBOM with their products. In other SBOM news, Tag Cyber’s 2021 Security Annual – 2nd Quarter, includes an article titled “The Time Has Arrived for Software Bill of Materials”.  The article includes a reference to the important SBOM work currently happening at the National Telecommunications and Information Administration (NTIA) under Allan Friedman.

When it comes to protecting software-based products and systems, it seems  almost common sense that a lack of visibility into software components utilized in the product or system is a massive impediment. So, on one hand, the SBOM should seem inevitable and key security document. On the other hand, some industries are slow to change and adapt and only do so with the appropriate motivation. Unfortunately, or fortunately for the SBOM, the recent spate of cybersecurity attacks is providing that motivation.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: [email protected]

White House Considers Software Bill of Materials (SBOM) Critical

The recent SolarWinds attack report, which we summarized in a recent post, hinted at possible executive action as a response to the massive assault. That possibility has been realized, and a Biden administration executive order, requiring enhanced cybersecurity measures including the Software Bill of Materials (SBOM), is expected any day now.  A National Security Council spokeswoman was recently quoted as saying that the SolarWinds attack showed that the “federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly. Simply put, you can’t fix what you don’t know about.”

The executive order will adopt cybersecurity measures recommended by security experts, including multi-factor authentication, data encryption, and a detailed list of the exact software components utilized, in other words, a Software Bill of Materials (SBOM).

The draft order also contains details around the creation of a cybersecurity incident response board. It is proposed that the board would be populated with representatives from federal agencies as well as cybersecurity companies. The purpose of the board is to collect breach information from victims of cyber-attacks in order to inform others of possible imminent threats and share critical information that could help organizations prepare. It’s not clear how victims would be incentivized to share information, nor is it clear how the information would be aggregated and shared with others.

Today, the Healthcare industry is a prime target for hackers, and the SBOM is a much-needed security document. Providing this transparency into deployed medical devices will enable faster responses from all stakeholders, ultimately resulting in improved patient safety.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: [email protected]

Software Bill of Materials Help to Defend Against Cyberattacks

On February 17, 2021, a remarkable White House press briefing addressed possible executive action in the wake of the SolarWinds attack, the most systematic hack of the U.S. government in history.

In mid-February, the United States White House held a press briefing and announced possible executive action in response to a recent attack against some critical US agencies, including the US Department of Commerce and the US Department of Justice. The recent hack, referred to as the SolarWinds attack, has been referred to as “…the largest and most sophisticated attack the world has ever seen.”, according to Microsoft’s President Brad Smith.

 The attack is named for the software tools provided by SolarWinds, a major software company with many thousands of customers. The attack on SolarWinds is commonly referred to as a supply chain attack, because the hackers attacked a third-party provider to gain access rather than attacking the targeted organization’s networks directly. For example, third-party software components being utilized in various systems and products are a prime attack target for hackers, given the difficulty in identifying the third-party components utilized in a specific system or product. This opaqueness prevents management of vulnerabilities, because you can’t protect what you don’t know about.

The Software Bill of Materials (SBOM) is ready to pull back that curtain and provide transparency into the third-party components and associated vulnerabilities.  By providing an SBOM, which is a list of all third-party software running in a system or product, the manufacturer is providing much-needed transparency to their customers and end users.

A great place to start utilizing the SBOM is in healthcare. Today, the Healthcare industry is a prime target for hackers, partially because they utilize many millions of network-connected medical devices, and they are very slow at detecting malicious activity on their networks. One of the major reasons for their inability to respond quickly is the lack of visibility or transparency into those deployed medical devices. This is because medical device manufacturers are not currently required to provide SBOMs to their customers. And remember, you can’t protect what you don’t know about.

This might all be changing soon. The US Food and Drug Administration (USFDA) will finalize their Content of Premarket Submissions for Management of Cybersecurity in Medical Devices this year. The guidance recommends that SBOMs accompany manufactured medical devices, along with various levels of vulnerability monitoring. The SBOM is a much-needed security document, and the requirement to include can’t come too soon. Medical device manufacturers should consider the logistical details of generating and continuously monitoring SBOMs for their products. Putting processes and policies in place today will enable a more agile response when customers and regulatory agencies begin demanding SBOMs, and prospects refuse to consider products without SBOMs. Of course, savvy customers aren’t waiting for FDA to finalize the guidance, so maybe you should think about putting those SBOM processes and policies in place yesterday.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: [email protected]

Two Key Device Security Documents Hospitals Need Now

| vigilantops | ,

When it comes to medical device security risk, hospitals are largely in the dark. By deploying medical devices without a Software Bill of Materials (SBOM) and/or an MDS2, they have no good way to know their actual vulnerability to cyberattacks, at least not without a lot of manual effort.

When it comes to medical device security risk, hospitals are largely in the dark. By deploying medical devices without a Software Bill of Materials (SBOM) and/or an MDS2, they have no good way to know their actual vulnerability to cyberattacks, at least not without a lot of manual effort.

In October, CISA (Cybersecurity & Infrastructure Security Agency) released a cybersecurity advisory warning of an imminent cybercrime threat to healthcare providers. Since the warning was released, there have been a wave of cyberattacks on hospitals. In October alone, attacks on hospitals increased by 71%.

 Some of these recent cyberattacks have ended up as national news, with the reporting of the aftermath focused on the immediate impacts on patient safety. For example, turning away patients due to compromised systems can have an immediate impact on the probability of survival for that patient. You can refer to our recent post on the Dusseldorf Hospital fatality for details. However, there are some less obvious, and longer-term, patient health impacts of these cyberattacks.

Take for example, the cancer center that is part of the University of Vermont Medical Center, which suffered an attack in late October. Due to the unavailability of their systems, including patient records, the clinicians were forced to turn away cancer patients. Without knowing the precise care regimen, and not wanting to try to work from memory, the clinicians really had no other good option. Not getting the needed treatments in the necessary timeframe will have an impact on a patient’s treatment outcome.

Cyberattacks targeting patient data systems, like Electronic Health Records, on average, cause 15 days of patient data system disruption.  In some attacks, clinicians were without system access for much longer. For example, the Universal Health Services attack, that we summarized and posted recently, left hospital crew without access to patient data for more than three weeks.

While the Healthcare industry will continue to remain a primary target for hackers, with the global pandemic confounding the ability to respond, there are some actions that hospital security can take that can provide some protection. The first step is to make sure all of your systems are properly maintained and patched. Of course, with medical devices, this is not a straightforward exercise, and will require security documentation from the vendor. Specifically, the vendor should be able to provide an MDS2 (Manufacturer Disclosure Statement for Medical Device Security) along with a Software Bill of Materials (SBOM) for their devices. Sometimes vendors will make the MDS2 available on a website for download. In most cases, SBOMs have to be requested.

In addition to obtaining the proper security documentation from your medical device vendors, also remember that Vigilant Ops is here to help protect your deployed medical devices, and we are available for a free cybersecurity consultation anytime. Please reach out using any of the contact information below.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: [email protected]

Massive Ransomware Assault on Healthcare

| vigilantops | ,

CISA (Cybersecurity & Infrastructure Security Agency), the Department of Health and Human Services (HHS) and the Federal Bureau of Investigation (FBI) jointly released a cybersecurity advisory on October 28, 2020 warning of an imminent cybercrime threat to healthcare providers. Since the original release, the warning has been revised to include additional information. The advisory, Alert (AA20-302A) can be found here.

 Authorities have claimed this to be one of the most significant cybersecurity threats “…we have ever seen in the United States.”  This attack represents the latest salvo against hospitals which have been the hardest hit with ransomware attacks. In a ransomware attack, critical data is encrypted, rendering it not usable, until a ransom is paid. Most hospitals are eager to get back up and running, working hard to minimize the impact to patient care, so they are sometimes more likely to pay the ransom than other targeted businesses.

Cyber attacks targeting patient data systems, like Electronic Health Records, on average, cause 15 days of patient data system disruption.  In some cases, clinicians were without system access for much longer. For example, the Universal Health Services attack, that we summarized and posted recently, left hospital crew without access to patient data for more than three weeks.

Cybercrime threat to healthcare providers, costs our healthcare system tens of millions of dollars annually. A typical ransom could be several hundred thousand dollars, while some have been more than $5 million.

We highly recommend reviewing the published alert as it contains technical details about the threat, as well as details about how the malware replicates, including which files to be on the lookout for and various attack techniques.

In addition to the publicly available resources, Vigilant Ops is here to help protect your deployed medical devices, and we are available for a free cybersecurity consultation anytime. Please reach out using any of the contact information below.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: [email protected]

U.S. Treasury Department Warns of Possible Violations

| vigilantops | ,

Paying ransomware hackers could run afoul of anti-money laundering regulations. The Financial Crimes Enforcement Network (FinCEN) issued an advisory that, depending on the circumstances, facilitating ransomware payments to cyber-criminals could constitute money transmission, thus violating anti-money laundering regulations. In addition, the Office of Foreign Assets Control (OFAC) issued an advisory that engaging in transactions, such as ransomware payments, with individuals or entities on their Specially Designated Nationals and Blocked Persons List is a sanctions violation and could result in civil penalties.

To be fair, OFAC does publish a list of sanctioned entities, and they advise victim organizations to check this list prior to paying any ransom. The challenge in this case is in the identification of the hacker organizations, whose identity is not usually known to the ransomware victims.

The two most common forms of ransomware attacks come in the forms of phishing emails and poorly secured Remote Desktop Protocol (RDP). The latter is especially troubling given the dramatic increase in remote workers and the resulting loss of secure control of the working environment.

It’s fairly well-known that third-party software component vulnerabilities, like RDP, play a big role in enabling ransomware attacks, but organizations can take some proactive steps to help decrease the likelihood that they will fall victim to such attacks by implementing or maintaining processes that monitor third-party components, their vulnerabilities and available security patches.

Requesting a Software Bill of Materials (SBOM) from vendors, which is a monitored list of third-party software components utilized in their product, will provide needed transparency and will make the task of monitoring product components much more efficient. Of course, end-user training is always recommended, given that human error is still a huge contributor in facilitating unwanted access to networks and systems.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: [email protected]

Vigilant Ops

WANT TO LEARN MORE?

Fill out the form to contact us and learn more about the Vigilant Ops Insight platform and receive information about the product benefits offered to healthcare delivery organizations and medical device manufacturers.


Vigilant Ops
8085 Saltsburg Rd., Pittsburgh, PA 15239

Copyright © 2021 Vigilant Ops. All rights reserved.