Because it is getting harder to underestimate “the evil genius of the modern-day cybercriminal,” Eracent, which develops asset management tools for software and IT, says it will offer healthcare organizations a no-cost tool that can automate the scanning of medical devices’ software bills of materials and match listed components to vulnerability data in its product library.
Beginning October 1, the U.S. Food and Drug Administration announced that new medical device submissions must contain a detailed cybersecurity plan for how manufacturers will monitor and address vulnerabilities.
Part of the 2022 Omnibus Appropriations Act, the long-awaited measure gives the FDA the authority to require the SBOM with each medical device.
“An SBOM by itself is impotent and ineffective if it is not constantly scrutinized by an automated, proactive process with instant visibility and vigilance in mitigating and resolving any component-level security weaknesses across the life cycle of the hardware/software device,” said Walt Szablowski, Eracent founder and executive chairman, in the announcement.
The C-SCRM platform recognizes obsolete components that can increase security risks, including open-source software components within applications that standard vulnerability analysis tools do not scan, according to Eracent.
The global enterprise network management company, with its U.S. base in Riegelsville, Pennsylvania, says that it is offering access to its device-analytics platform to get all healthcare sectors affected by new medical device cybersecurity regulations on the road to compliance.
Medical device vulnerabilities, such as ones in insulin pumps, defibrillators, mobile cardiac telemetry, pacemakers and intrathecal pain pumps, can be exploited by skilled hackers seeking to interfere with a medical facility’s operations or compromise protected data.
They can also endanger patient health.
“The healthcare industry needs to appreciate the risks that may exist in the medical device software they use, whether open-source or proprietary. And medical device manufacturers need to acknowledge the potential risks inherent in the products they offer,” Eracent said.
THE LARGER TREND
The PATCH Act initially sought to impose a series of cybersecurity requirements for manufacturers applying for premarket approval through the FDA, but the requirement was dropped in the final bill this past year.
In September, the FBI offered healthcare organizations recommendations for addressing cybersecurity vulnerabilities in active medical devices.
However, risk analysis is “still a very manual and labor-intensive process,” said Kathy Hughes, CISO of Northwell Health, during a panel on third-party cybersecurity at the December 2022 HIMSS Healthcare Cybersecurity Forum.
Automating the discovery of vulnerabilities presented by medical devices can help minimize cybersecurity breaches that can impact operations and affect patient care is an important strategy for healthcare IT this year.
ON THE RECORD
“These new cybersecurity regulations tend to have a cascade effect that may sneak up on some unsuspecting entities in and around the aggregate medical-industrial complex,” said Szablowski in the announcement. “We are now offering medical providers and device manufacturers unprecedented free access to our SBOM supply chain risk end-point discovery and end-point analysis software solutions.”
Andrea Fox is senior editor of Healthcare IT News.
Healthcare IT News is a HIMSS Media publication.