Healthcare Use Case

During a Proof of Concept, three different hospitals and healthcare providers participated in the assessment of the concept of the use of a Software Bill of Materials. The following is a short summary of its main achievements and added value including key learnings

Key Benefit 1 : Procurement

Three Heathcare Delivery Organisations (HDO) were able to successfully ingest the SPDX SBOM into their respective SIEM solutions, immediately making the data searchable for manual identification of security vulnerabilities across a fleet of products. This data could also be converted into a human—readable, tabular format.

Multiple HDOs are now collaborating with vendor / partners to explore direct ingestion into medical device asset/riskmanagement solutions as part of device procurement.

Healthcare Vendor Risk Management (VRM) solutions ar being integrated.

”How-To Guides” focusing on how to properly parse out the Packages fields using regular expressions (regex) have been developed by the hospitals to make it easier for them to handle as well. The recommended regex also takes into consideration some of the slight differences in SBOM SPDX schemas.

Cursory analysis shows that Software Component Naming still appears to present an issue when correlating the parsed information to external resources.

Health organisations continue to explore automated correlation to authoritative vulnerability data upon procurement.

Key Benefit 2 : Asset Management

Healthcare Organisations have begun configuring their respective Configuration Management Databases (CMDB) platforms to allow for software component assets as children under the parent asset entries. This use case not only explores initial entry, but management of the device over time using methods such as API import/update using the parsed data from the SIEM ingestion.

Different Healthcare Organisations are collaborating with vendor/partners to manage devices into medical device asset/riskmanagement solutions through the life of the device, by allowing for periodic update and an audit trail.


More information on some of the use cases of the healthcare sector can be found in the (draft) report of the Healthcare Sector published by NTIA.