Parallax Q&A: Decoding the costs of medical-device security

Seth Rosenblatt -

Thank you for subscribing to the free edition of the twice-weekly Parallax View newsletter. If you are a legacy subscriber of The Parallax View, we are so grateful for your support over the past six years that we have gifted you a premium subscription. If you like our reporting, please share it! This project depends and thrives on your contributions.

If you're a new subscriber to our newsletter, welcome to The Parallax View. Thank you for your support! The free edition of The Parallax View lands in your inbox on Tuesdays and the reader-sponsored edition on Fridays. If you’d like to support our independent journalism on the intersection of health care and cybersecurity with a paid subscription, you can do so here. If you'd like a subscription option not available, please email seth@the-parallax.com.

On May 12, just before the start of last week’s annual RSA Conference on cybersecurity, President Joe Biden delivered his long-awaited cybersecurity executive order. Within the order was a surprising mandate: The federal government and private sector must develop and include a software bill of materials, a years-in-the-making policy that could change how medical devices are protected.

A software bill of materials, or SBOM, is an ingredients list of the software components that have gone into larger, more complex software—as well as hardware that depends on the software. Biden’s executive order defines it as “a formal record containing the details and supply chain relationships of various components used in building software.”

The idea behind mandating SBOMs is that they will help stakeholders, including regulators, manufacturers, consumer advocates, security researchers, and independent technicians, update device software to make it more secure.

Seth Carmody, vice president of regulatory strategy, MedCrypt

SBOMs have been part of the discussion of how to protect medical devices since 2016, says Seth Carmody, former cybersecurity program manager for medical devices at the Food and Drug Administration’s Center for Devices and Radiological Health.