The US Food and Drug Administration (FDA) has introduced new rules that could have a significant impact on the security of open source software (OSS) used in medical devices. Starting from October 1, 2023, the FDA will require all medical devices running software to create and maintain a software bill of materials (SBOM). This move comes as concerns grow over the lack of proper security measures in critical software-powered components of healthcare devices, making them vulnerable to ransomware attacks and potential hacking.
Medical devices often rely on outdated or end-of-life operating systems, with a significant number using Linux or other open source software. Manufacturers frequently struggle to update firmware or device software, and there is often a lack of cybersecurity knowledge among medical professionals who install and use these devices. These issues have been a cause for concern for some time, but the new FDA rule brings a new level of attention to the problem, specifically through the SBOM requirement.
Software bill of materials (SBOMs) have been an ongoing topic of discussion and promise within the software industry. Following several high-profile supply chain attacks, including the SolarWinds hack, the US government issued an executive order mandating the inclusion of an SBOM in software used by government agencies. This has led to the emergence of startups and the introduction of automated SBOM generation by major version-control providers like GitHub and GitLab. Adoption of SBOMs has been increasing, with a survey by the Linux Foundation indicating that 78% of organizations planned to produce or consume SBOMs by the end of 2022.
What sets the FDA’s SBOM requirement apart is its enforceability. The mere production or consumption of SBOMs does not necessarily result in improved security, as it is possible to generate a superficial and ineffective SBOM. The FDA mandates that medical device manufacturers must submit a plan to monitor and address cybersecurity vulnerabilities and exploits in a reasonable time, as well as develop and maintain processes and procedures to ensure reasonable cyber security. Failure to meet these requirements could result in the FDA refusing to accept a proposed device, preventing it from being brought to market.
This new FDA rule has broader implications for the OSS ecosystem. Linux is already widely used in medical devices, and the growing acceptance and reputation of OSS make it an increasingly popular choice. With the FDA’s SBOM mandate, there will likely be a shift towards OSS components that demonstrate strong security behaviors. Medical device companies and service providers will be pressured to develop robust and up-to-date SBOMs that can be aggregated into compound SBOMs for specific medical devices and their software stacks. This may result in a decline in the use of OSS subcomponents that do not comply with the SBOM mandate.
The FDA’s mandate also offers a catalyst for a broader shift towards trusted and transparent OSS. It puts pressure on OSS applications to become more transparent and accountable, and it may lead to the emergence of trusted package repositories and mandated package provenance. This will ultimately benefit the OSS community by ensuring the security of critical infrastructure and components and providing a model for enforceable SBOM requirements.
It is important to note that OSS has already demonstrated a higher degree of transparency and accountability compared to proprietary systems. However, the FDA’s mandate pushes for even greater transparency and accountability to secure complex software supply chains and dependencies. This will not only improve the security of medical devices but also have a positive impact on the security of all software powered by open source.
Furthermore, this FDA rule may inspire similar actions in other regions, such as the European Union, where policymakers are also considering measures to mandate the hardening of medical devices against cyberattacks.
In conclusion, the FDA’s new rule requiring SBOMs for medical devices running software is a significant development for the OSS ecosystem. It brings attention to the importance of securing software-powered components in healthcare devices, and it provides a model for enforceable SBOM requirements. This will lead to a shift towards trusted and transparent OSS, ensuring the security of critical infrastructure and components and benefiting the entire OSS community.