Security-MD-SBOM-Challenges for MDM

Overview

Along the way of generating, distributing, and maintaining SBOMs, what kind of challenges may MDMs face?

Challenge 1: SBOM for Currently Marketed/Legacy Devices

SBOM actually is a quite new concept, generating SBOM for older devices may be difficult, even for basic information and elements.

Potential Solutions:

• Software Composition Analysis (SCA) tools, Binary Analysis Tools, Dependency Scanners

Challenge 2: Standards and Tools

SBOM standards and tools are still evolving, and there is no one-size-fits-all solution for medical devices. MDMs may need to adapt to different standards and tools, which can be time-consuming and costly.

Challenge 3: SBOM Depth

There is a tradeoff between the depth of the SBOM and its usability.

A deeper SBOM may provide more detailed information to the end user, but it may also be more complex and challenging to generate and analyze.

Challenge 4: SBOM Distribution

Distributing SBOMs to healthcare providers and end users can be challenging, for example, the device may be updated frequently, and after each update, the SBOM also need to be updated and redistributed, to make sure end usres have the latest information.

There is not “one SBOM” for one product: HCPs may have the same device and different versions, so MCM need to make sure different versions of SBOMs are existed and distributed to the right users.