Category

Blog

Biden Signs Cybersecurity Executive Order

On May 12, 2021 President Biden signed the Executive Order on Improving the Nation’s Cybersecurity, which we previewed in a recent post, into law. The fifteen-page document includes various cybersecurity enhancement recommendations such as the Software Bill of Materials (SBOM) and review and revision of governmental procedures, such as the Federal Acquisition Regulation (FAR), all with associated timelines for completion.

How To Prepare for the Cybersecurity Executive Order

On May 12, 2021 President Biden signed the Executive Order on Improving the Nation’s Cybersecurity into law. In spite of being only fifteen pages in length, the executive order is detailed and complex. It’s quite easy to become overwhelmed by the dependencies between requirements and deadlines for completion. In this document, we have attempted to reduce this complexity by highlighting certain key aspects of the executive order and suggesting actions that can be taken now to help prepare your organization.

Why 2021 is Shaping Up to be the Year of the SBOM

The software bill of materials (SBOM) is on its way to being recognized as a key security document and the primary enabler of software transparency across all industries. In healthcare, FDA (US Food and Drug Administration) included the SBOM in the first draft of their Premarket Guidance in 2018, but they referred to it as a CBOM (Cybersecurity Bill of Materials). Today, SBOM, which is a detailed list of software components found in a product or system, has become the more accepted terminology.

As more cybersecurity breaches are announced, almost daily it seems, business leaders, industry experts, and regulatory agencies are looking to SBOM as an important element of a sound cybersecurity strategy. The SBOM is gaining so much momentum, that some have found it necessary to caution that the SBOM won’t solve all security woes, and that it is just one piece of the larger cybersecurity puzzle, albeit an important piece.

SBOM references have appeared across a wide variety of security-based content, including the recent news of an imminent Biden administration executive order. The order aims at strengthening the nation’s security posture and includes reference to the SBOM. From a regulatory perspective, FDA has prioritized the 2021 release of the final version their Premarket Guidance, mentioned above, which recommends that medical device manufacturers provide an SBOM with their products. In other SBOM news, Tag Cyber’s 2021 Security Annual – 2nd Quarter, includes an article titled “The Time Has Arrived for Software Bill of Materials”.  The article includes a reference to the important SBOM work currently happening at the National Telecommunications and Information Administration (NTIA) under Allan Friedman.

When it comes to protecting software-based products and systems, it seems  almost common sense that a lack of visibility into software components utilized in the product or system is a massive impediment. So, on one hand, the SBOM should seem inevitable and key security document. On the other hand, some industries are slow to change and adapt and only do so with the appropriate motivation. Unfortunately, or fortunately for the SBOM, the recent spate of cybersecurity attacks is providing that motivation.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: [email protected]

White House Considers Software Bill of Materials (SBOM) Critical

The recent SolarWinds attack report, which we summarized in a recent post, hinted at possible executive action as a response to the massive assault. That possibility has been realized, and a Biden administration executive order, requiring enhanced cybersecurity measures including the Software Bill of Materials (SBOM), is expected any day now.  A National Security Council spokeswoman was recently quoted as saying that the SolarWinds attack showed that the “federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly. Simply put, you can’t fix what you don’t know about.”

The executive order will adopt cybersecurity measures recommended by security experts, including multi-factor authentication, data encryption, and a detailed list of the exact software components utilized, in other words, a Software Bill of Materials (SBOM).

The draft order also contains details around the creation of a cybersecurity incident response board. It is proposed that the board would be populated with representatives from federal agencies as well as cybersecurity companies. The purpose of the board is to collect breach information from victims of cyber-attacks in order to inform others of possible imminent threats and share critical information that could help organizations prepare. It’s not clear how victims would be incentivized to share information, nor is it clear how the information would be aggregated and shared with others.

Today, the Healthcare industry is a prime target for hackers, and the SBOM is a much-needed security document. Providing this transparency into deployed medical devices will enable faster responses from all stakeholders, ultimately resulting in improved patient safety.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: [email protected]

Software Bill of Materials Help to Defend Against Cyberattacks

On February 17, 2021, a remarkable White House press briefing addressed possible executive action in the wake of the SolarWinds attack, the most systematic hack of the U.S. government in history.

In mid-February, the United States White House held a press briefing and announced possible executive action in response to a recent attack against some critical US agencies, including the US Department of Commerce and the US Department of Justice. The recent hack, referred to as the SolarWinds attack, has been referred to as “…the largest and most sophisticated attack the world has ever seen.”, according to Microsoft’s President Brad Smith.

 The attack is named for the software tools provided by SolarWinds, a major software company with many thousands of customers. The attack on SolarWinds is commonly referred to as a supply chain attack, because the hackers attacked a third-party provider to gain access rather than attacking the targeted organization’s networks directly. For example, third-party software components being utilized in various systems and products are a prime attack target for hackers, given the difficulty in identifying the third-party components utilized in a specific system or product. This opaqueness prevents management of vulnerabilities, because you can’t protect what you don’t know about.

The Software Bill of Materials (SBOM) is ready to pull back that curtain and provide transparency into the third-party components and associated vulnerabilities.  By providing an SBOM, which is a list of all third-party software running in a system or product, the manufacturer is providing much-needed transparency to their customers and end users.

A great place to start utilizing the SBOM is in healthcare. Today, the Healthcare industry is a prime target for hackers, partially because they utilize many millions of network-connected medical devices, and they are very slow at detecting malicious activity on their networks. One of the major reasons for their inability to respond quickly is the lack of visibility or transparency into those deployed medical devices. This is because medical device manufacturers are not currently required to provide SBOMs to their customers. And remember, you can’t protect what you don’t know about.

This might all be changing soon. The US Food and Drug Administration (USFDA) will finalize their Content of Premarket Submissions for Management of Cybersecurity in Medical Devices this year. The guidance recommends that SBOMs accompany manufactured medical devices, along with various levels of vulnerability monitoring. The SBOM is a much-needed security document, and the requirement to include can’t come too soon. Medical device manufacturers should consider the logistical details of generating and continuously monitoring SBOMs for their products. Putting processes and policies in place today will enable a more agile response when customers and regulatory agencies begin demanding SBOMs, and prospects refuse to consider products without SBOMs. Of course, savvy customers aren’t waiting for FDA to finalize the guidance, so maybe you should think about putting those SBOM processes and policies in place yesterday.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: [email protected]

Two Key Device Security Documents Hospitals Need Now

| vigilantops | ,

When it comes to medical device security risk, hospitals are largely in the dark. By deploying medical devices without a Software Bill of Materials (SBOM) and/or an MDS2, they have no good way to know their actual vulnerability to cyberattacks, at least not without a lot of manual effort.

When it comes to medical device security risk, hospitals are largely in the dark. By deploying medical devices without a Software Bill of Materials (SBOM) and/or an MDS2, they have no good way to know their actual vulnerability to cyberattacks, at least not without a lot of manual effort.

In October, CISA (Cybersecurity & Infrastructure Security Agency) released a cybersecurity advisory warning of an imminent cybercrime threat to healthcare providers. Since the warning was released, there have been a wave of cyberattacks on hospitals. In October alone, attacks on hospitals increased by 71%.

 Some of these recent cyberattacks have ended up as national news, with the reporting of the aftermath focused on the immediate impacts on patient safety. For example, turning away patients due to compromised systems can have an immediate impact on the probability of survival for that patient. You can refer to our recent post on the Dusseldorf Hospital fatality for details. However, there are some less obvious, and longer-term, patient health impacts of these cyberattacks.

Take for example, the cancer center that is part of the University of Vermont Medical Center, which suffered an attack in late October. Due to the unavailability of their systems, including patient records, the clinicians were forced to turn away cancer patients. Without knowing the precise care regimen, and not wanting to try to work from memory, the clinicians really had no other good option. Not getting the needed treatments in the necessary timeframe will have an impact on a patient’s treatment outcome.

Cyberattacks targeting patient data systems, like Electronic Health Records, on average, cause 15 days of patient data system disruption.  In some attacks, clinicians were without system access for much longer. For example, the Universal Health Services attack, that we summarized and posted recently, left hospital crew without access to patient data for more than three weeks.

While the Healthcare industry will continue to remain a primary target for hackers, with the global pandemic confounding the ability to respond, there are some actions that hospital security can take that can provide some protection. The first step is to make sure all of your systems are properly maintained and patched. Of course, with medical devices, this is not a straightforward exercise, and will require security documentation from the vendor. Specifically, the vendor should be able to provide an MDS2 (Manufacturer Disclosure Statement for Medical Device Security) along with a Software Bill of Materials (SBOM) for their devices. Sometimes vendors will make the MDS2 available on a website for download. In most cases, SBOMs have to be requested.

In addition to obtaining the proper security documentation from your medical device vendors, also remember that Vigilant Ops is here to help protect your deployed medical devices, and we are available for a free cybersecurity consultation anytime. Please reach out using any of the contact information below.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: [email protected]

Vigilant Ops

WANT TO LEARN MORE?

Fill out the form to contact us and learn more about the Vigilant Ops Insight SBOM automation platform.


Vigilant Ops
8085 Saltsburg Rd., Pittsburgh, PA 15239

Copyright © 2021 Vigilant Ops. All rights reserved.