We all do it. When we sense something wrong with our health, we often go to the internet, plug in our symptoms, and try to diagnose the issue.
In our ever-connected world, we are not the only ones using the internet. To improve the effectiveness and safety of our healthcare system, hospital infrastructure, medical devices, and doctors are also connected to the internet. The smarter our healthcare systems are, the better quality of care we'll receive.
Then there is this:
- In early 2016, Hollywood Presbyterian Hospital was hit with a ransomware attack due to a known vulnerability in open source software components used in some of its applications.
- In March 2016, researchers discovered "715 known security vulnerabilities in automated supply cabinets used to dispense medical supplies" with a severity rating of high or critical.
- Last fall, Johnson & Johnson warned consumers of security flaws found inside the software supporting their insulin pumps.
- In January, the FDA and DHS issued an advisory warning of security vulnerabilities found in St. Jude Medical's Merlin@home unit that could affect the company's implantable cardiac devices (ICDs).
- Last month, 8,000 known security vulnerabilities were found in open source libraries used to build the software supporting four well-known pacemaker programming machines.
Fit, Healthy, and Secure
To keep us healthy and ensure proper care, our connected healthcare systems also need to be secure.
The Healthcare Industry Cybersecurity Task Force is spearheading an effort to keep our healthcare system and medical devices secure. Last week, the task force released a comprehensive report stating "the healthcare system cannot deliver effective and safe care without deeper digital connectivity. If the healthcare system is connected, but insecure, this connectivity could betray patient safety, subjecting them to unnecessary risk and forcing them to pay unaffordable personal costs. Our nation must find a way to prevent our patients from being forced to choose between connectivity and security."
The task force identified six high-level imperatives to guide recommendations and actions for the healthcare community, including leadership, workforce, information sharing, and software application analysis.
Software Bill of Materials
Among the recommendations of the task force was the call to improve transparency regarding open source software components used in medical devices:
"Improve manufacturing and development transparency among developers and users. To track medical device vulnerabilities, there is a need for transparency regarding third party software components. Having a "bill of materials" is key for organizations to manage their assets, because they must first understand what they have on their systems before determining whether these technologies are impacted by a given threat or vulnerability. Moreover, this transparency enables healthcare providers to assess the risk of medical devices on their networks, confirm components are assessed against the same cybersecurity baseline requirements as the medical device, and implement mitigation strategies when patches are."
The recommendation ends by stating, "To date, this practice has not been widely adopted."
While cybersecurity practices across the medical device industry need to be improved, the technology to support them has been accessible for years. For medical device makers looking to create a "software bill of materials," Sonatype offers this analysis as a free service. The creation of a bill of materials is simple; the end-to-end lapse time to analyze an average sized application is between 10 - 15 seconds.

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.
Explore All Posts by Derek WeeksTags

Try Nexus Repository Free Today
Sonatype Nexus Repository is the world’s most trusted artifact repository manager. Experience the difference and download Community Edition for free.