Software Bill of Materials

One security control challenge we see information services (IS) professionals and HIPAA security officers work to manage is a complete inventory. Taking this control one step further is to include medical equipment that processes protected health information (PHI). We often see a new realization when we work with our partner-clients the first time, as most IS people aren't charged to manage medical equipment; most of the time such is handled by clinicians who rely on vendors. This leaves a significant to understanding the vulnerabilities stemming from (for example) unrealized external communications connections and unpatched software or firmware (sometimes the entire platform is based on no longer supported operating systems).

A partial solution to understanding inventory risks, whether on traditional computing assets or medical equipment is a software bill of materials (SBoM). Simply put, a SBoM is a list of all assets and their associated software products. Knowing who needs what software to perform their job or function can help a HIPAA security officer work with clinical staff and IS leadership to identify risks to the (e)PHI environment. Blindly trusting third-party vendors to keep a HIPAA-compelled organization secure is a risk itself and learning what exists may be a little like peeling an onion to start, especially with medical equipment (e.g. laboratories, radiology, nurse station monitoring systems, vital reporting systems, etc.) or other specialized computer stations (e.g. billing, etc.).

One thing to keep in mind is that the criminals don't need a SBOM to launch an attack. They just look around until their software finds a vulnerability, and then strike. At that point, who's to blame becomes a mute point. We encourage our partner-clients to understand what hardware, software and firmware exists in ALL organization equipment - IS-based or otherwise. Click the image below if you want or need some help with your inventory.

Stay (HIPAA) safe, Alan -