How Medical Device 'Ingredient Labels' Could Bolster SecurityRob Suárez, CISO of Becton Dickinson, on Security Risk 'Transparency'
Among the simplest things vendors can do to help improve the cybersecurity of their products is to provide better transparency, especially regarding the third-party components contained in their technology, says Rob Suárez, CISO of medical device maker Becton Dickinson and Co., or BD.
"Customers need transparency in the ingredients - what software components exist in the technology they're using and the ways that they can reduce and address these risks," he says in an interview with Information Security Media Group.
"That way we enable customers - healthcare systems and maybe even patients, if you have a direct-to-consumer technology - to manage cybersecurity of these medical devices. It is like the nutritional label on the side of your cereal box."
Software bills of materials, or SBOMs, are a critical topic that needs "more attention and action" by healthcare technology providers, Suárez says.
"I think there is a significant opportunity automating [SBOMs] - producing them in an automated … and consumable way for healthcare systems that have to manage thousands and thousands of medical technologies across thousands and thousands of vendors in their environments, with incredible complexity."
BD currently provides white papers that list third-party components across the company's product portfolio of software-enable medical technologies, according to Suárez.
"Automating SBOMs is certainly something BD is pursuing to help address the security risks of legacy [and] current devices. I hope to see the day when a software bill of materials is a common practice across all types of technology," he says.
In the interview (see audio link below photo), Suárez also discusses:
- Other steps BD is taking - including use of a framework - to bolster the cybersecurity of the company's new products under development, as well as legacy devices;
- Worrisome trends involving ransomware attacks on healthcare sector entities;
- Highlights from BD's recent 2021 Cybersecurity Annual Report.
Suárez serves as CISO at BD, overseeing cybersecurity across the company’s enterprise, IT and manufacturing systems. He also chairs the cybersecurity steering committee for the Medical Device Innovation Consortium and the cybersecurity working group for the Advanced Medical Technology Association.