SBOM Analysis – An Essential Weapon for Healthcare’s Fight Against Cyberattacks

The first cyberattack dates back to 1834, when a pair of industrious thieves infiltrated the French telegraph system, stealing data and gaining access to the financial markets of that time in history. The first cybercriminals were born on that day, and their modern-day progeny have been honing their skills and taking full advantage of the Internet of Things (IoT) laid out before them like a smorgasbord of tantalizing data for sale to the highest bidder.

The medical-industrial complex is rife with opportunities for professional hackers and hobbyists to cast their cyber-lines into the sea of personal health information and hit the motherlode. A new avenue for cyberattacks is the proliferation of medical devices that are digitally connected to the IoT and, until recently, not top of mind when shoring up cybersecurity defenses. The federal government, the holy grail for cybercriminals, is taking legislative actions to shore up cybersecurity. At the center of these new regulations is the Software Bill of Materials (SBOM), which provides everything the cybercriminal can exploit, ergo everything that needs to be placed under cybersecurity lock and key.

Protected health information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule took the first critical step in safeguarding patients’ protected health information (PHI) by “covered entities,” such as health insurance companies, healthcare providers, healthcare clearinghouses, and business associates that provide services for these covered entities. Who could have predicted nearly 30 years ago that there would be a threat so sinister and high-tech that even healthcare providers with the strictest adherence to these HIPAA regulations in place could still be vulnerable? From 2016 to 2021, cyberattacks on hospitals and health systems nearly doubled, compromising the PHI of nearly 42 million patients.

HIPAA’s healthcare data breach statistics reveal that cyberattacks are the leading cause of patient data falling into the wrong hands. In July of 2022, Methodist McKinney Hospital in Texas fell victim to a ransomware attack where a data extortion group stole 360 gigabytes of data. The cybertheft included patients’ PHI, such as names, addresses, dates of birth, Social Security numbers, payment information, and health insurance details, along with medical diagnosis and history information, all of which were subsequently released on the dark web.

Cybercriminals are aware that larger healthcare organizations have more sophisticated (yet no less vulnerable) security systems in place. So, they often go after the low-hanging fruit of smaller healthcare service providers, which can still jeopardize the sensitive information of hundreds of thousands of patients.

How much is it worth?

Privacy Affairs’ Dark Web Price Index for 2022 provides a handy invoice of sorts for the going rate of each brand of identity theft. And just like legal commerce, it’s all about supply and demand. A few highlights: 

• Credit card data – Anywhere from $10 for a Walmart account with an attached credit card. For any credit card account with a balance up to $5,000, the going rate is $120.

• Payment processing services – At the low end, $10 for stolen PayPal account details with a minimum balance of $100, and, on the high end, $800 for a verified Cash App account.

• Email database – $120 for 10 million email addresses (a bargain!).

• DDoS (distributed denial-of-service) attacks – $10 for an unprotected website, 10k to 50k requests per second for 1 hour, and up to $850 for an unprotected website, 10k to 50k requests per second for one month.

A DDoS attack disrupts normal internet operations by overwhelming a server, service, or network with artificial internet traffic, denying access, and preventing valid users from accessing online sites and services. DDoS attacks in the healthcare sector seriously threaten healthcare providers, crippling their ability to provide patient care when denied access to vital resources, such as prescription information, medical records, and software-based medical devices and equipment.

Medical devices 

Cybercriminals are expanding their horizons. After all, there are so many ways to take down critical infrastructure sectors like the healthcare industry. Cybercrime has become its own albeit villainous industry. The 2023 World Economic Forum (WEF) Global Risk Report projects the annual cost of cybercrime to hit $10.5 trillion by 2025. So, what else are they after? Medical devices have gone wireless and feature remote technology that is dependent on the IoT, such as cellular networks, Bluetooth, and cloud computing. The electronic data is transferred to software applications that create alerts for healthcare professionals to analyze and recommend treatments. 

And so another security gate has been breached. A recent study revealed that MRI machines and heart rate monitors were involved in 88% of data breaches. Medical providers place a higher priority on how technological advancements radically improve patient care, placing cybersecurity as a lower priority. Medical devices, such as insulin pumps, defibrillators, mobile cardiac telemetry, and pacemakers, are making it easier for cybercriminals to hold healthcare providers hostage. Healthcare organizations would often rather pay the ransom than reconfigure an entire system. And that creates repeat customers for the cybercriminal.

A single ransomware attack can cost $250,000 to $500,000, not including the fees incurred due to the stipulations of the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, which charges steep penalties to covered entities that leave patient data vulnerable to exposure and cybertheft. Cyberattacks on medical devices can also have deadly consequences by altering a health monitor’s reading; they can even administer a drug overdose. Cyberterrorists exploit these inadequately secured devices, interfering with medical facility operations by leveraging the confidentiality and integrity of patient data. It’s a crime syndicate.   

SBOMs, the next step in healthcare data protection

In May 2021, the White House issued Executive Order 14028, “Improving the Nation’s Cybersecurity,” in a concerted effort to mitigate cyberthreats to government agencies by mandating additional security measures that must be followed by any software publisher or developer that does business with the Federal Government, requiring them to provide a Software Bill of Materials (SBOM). A SBOM contains a comprehensive inventory of the composition of a hardware or software device, including the libraries and modules that make up the software and their interrelationships. It also manages and verifies software licenses.

To close the loop, the $1.7 trillion Omnibus Appropriations Act was signed into law in December 2022. An integral part of the legislation gives the FDA the authority to mandate that medical device manufacturers take more robust cybersecurity protection measures. One initiative requires the inclusion of an SBOM with each device brought to market through future pre-market submissions. 

A software supply chain consists of several components and dependencies that can originate from several different sources with different levels of security that can compromise the defenses of the entire system. Supply chains often consist of a combination of open-source, private entity, and commercial software, any one of which can create its own source of security vulnerabilities, such as outdated or obsolete
software.

SBOMs, by themselves, are not enough 

Tools in a toolbox can’t build or repair anything on their own without someone or something putting them to use. Full implementation of the SBOM security measure requires structure, automation, and real-time reporting, along with proactive management of the entire system. Supply chain risk management software requires continuously recognizing and mitigating vulnerabilities and lifecycle issues by relentlessly scrutinizing installed applications’ inherent risks and vulnerabilities. Successful compliance requires vigilant risk management that scans the itemized details within the SBOM to ensure that both hardware and installed software remain supported and are able to receive patches and updates. 

Cybercriminals are like marauders in search of plunder, and the SBOM is the treasure map with X marking each vulnerable link in the software supply chain. By burying the treasure and fortifying the defenses that surround it, they will move on to easier prey.  

walt szablowski
Walt Szablowski
Founder and Executive Chairman at Eracent | + posts

Walt Szablowski is the Founder and Executive Chairman of Eracent and serves as Chair of Eracent’s subsidiaries (Eracent SP ZOO, Warsaw, Poland; Eracent Private LTD in Bangalore, India, and Eracent Brazil LTDA). Eracent helps its customers meet the challenges of managing IT network assets, software licenses, and cybersecurity in today’s complex and evolving IT environments. Eracent’s enterprise clients save significantly on their annual software spend, reduce their audit and security risks, and establish more efficient asset management processes. Eracent’s client base includes some of the world’s largest corporate and government networks and IT environments. Dozens of Fortune 500 companies rely on Eracent solutions to manage and protect their networks. Visit https://eracent.com/