IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

New Software Standards Could Help Hospitals Thwart Hackers

As of April 1, 2023, all medical device manufacturers are required to submit a Software Bill of Materials that lists all software — and hardware that includes software and open-source libraries — that creates vulnerabilities to hackers.

Closeup of the line on a heart line monitor in blue.
As hackers have begun to run out of fresh targets — having hacked into businesses, utilities and government agencies at will — they have turned to unsuspecting health-care providers for their exploits.

A Ponemon Institute survey recently revealed that 47 percent of health-care organizations faced ransomware attacks in the last two years. Of those, 45 percent reported issues during medical procedures in 2022, up from 36 percent in 2021. And, according to IBM Security’s analysis, cyber attacks on hospitals and health systems cost more than $10 million on average.

“Hospitals are routinely attacked, and the reasons are not limited to criminal activity. Yes, health records can be monetized by selling on the dark web, and the value of those records exceeds that of other personally identifiable information,” Mike Hamilton, CISO of cybersecurity firm Critical Insight, wrote in an email.  “Increasingly, the health sector is also being harassed specifically because of its criticality at the scale we live our lives.”

That could change for the better since the $1.7 trillion Consolidated Appropriations Act was passed in December 2022, which legally requires medical device manufacturers to submit a Software Bill of Materials (SBOM) to the FDA as of April 1, 2023.

The SBOM forces providers of software — and hardware that includes software — to define what exactly they are delivering, including open-source libraries and open-source software.

Hospitals are replete with tiny computers within a host of tools like thermometers, temperature control systems and heart monitors, to name just a few.

“There are devices everywhere that are on a network and they’re all hackable,” said Walter Szablowski, founder and executive chairman of Eracent, a global company that helps clients manage their IT network assets, software licenses and cybersecurity issues.

“Government demands now that when you deliver software to a government agency [or any entity controlled or licensed by the FDA] you include with it a listing of all the open-source libraries that you used in the preparation and creation of the product, and that’s huge because they were never forced to do that before,” Szablowski said.

And providers must also list all the items that include software that has been so easily accessed by hackers.

“Every time you buy a thermometer, a [blood] pressure cuff, they all come networked so they have little computers inside them and are extremely hackable,” Szablowski said. “So ... you’re in a hospital and somebody tells you, ‘Look at your heart monitor, it’s all over the place,’ and then you realize that somebody is hacking you and they tell you they need a little bit of money.”

Hospitals have been paying the ransoms, but that’s just part of the cost of being hacked. There’s lost income, “cleaning up” after the hacker and having to shut down operations for some period of time. And after all that, the hacker may reappear in a year or so when they feel comfortable again.

“When a hospital operation is disrupted and patients are redirected, not only are health outcomes affected, but it’s one more brick in the wall for a sector that is already on the financial ropes,” Hamilton wrote. “Fomenting American dissatisfaction with our institutions is a strategic goal of many countries, and the health-care sector lends itself to this goal quite well.”

The SBOM will give health-care providers information about exactly what vulnerabilities exist in the equipment they’ve procured and how to manage those.

Eracent offers a free SBOM application management process, which reads the data in the SBOM and defines the licensing issues there, then identifies vulnerabilities associated with the products.