$\require{mediawiki-texvc}$

연합인증

연합인증 가입 기관의 연구자들은 소속기관의 인증정보(ID와 암호)를 이용해 다른 대학, 연구기관, 서비스 공급자의 다양한 온라인 자원과 연구 데이터를 이용할 수 있습니다.

이는 여행자가 자국에서 발행 받은 여권으로 세계 각국을 자유롭게 여행할 수 있는 것과 같습니다.

연합인증으로 이용이 가능한 서비스는 NTIS, DataON, Edison, Kafe, Webinar 등이 있습니다.

한번의 인증절차만으로 연합인증 가입 서비스에 추가 로그인 없이 이용이 가능합니다.

다만, 연합인증을 위해서는 최초 1회만 인증 절차가 필요합니다. (회원이 아닐 경우 회원 가입이 필요합니다.)

연합인증 절차는 다음과 같습니다.

최초이용시에는
ScienceON에 로그인 → 연합인증 서비스 접속 → 로그인 (본인 확인 또는 회원가입) → 서비스 이용

그 이후에는
ScienceON 로그인 → 연합인증 서비스 접속 → 서비스 이용

연합인증을 활용하시면 KISTI가 제공하는 다양한 서비스를 편리하게 이용하실 수 있습니다.

[해외논문] Building resilient medical technology supply chains with a software bill of materials 원문보기

npj digital medicine, v.4 no.1, 2021년, pp.34 -   

Carmody, Seth (MedCrypt, San Diego, CA USA) ,  Coravos, Andrea (Elektra Labs, Inc, San Francisco, CA USA) ,  Fahs, Ginny (Aspen Institute Tech Policy Hub, San Francisco, CA USA) ,  Hatch, Audra (I Am The Cavalry, Washington, DC USA) ,  Medina, Janine (Biohacking Village, Las Vegas, NV USA) ,  Woods, Beau (Biohacking Village, Las Vegas, NV USA) ,  Corman, Joshua (Pennsylvania State University Policy Innovation Lab of Tomorrow (PILOT), State College, PA USA)

Abstract AI-Helper 아이콘AI-Helper

An exploited vulnerability in a single software component of healthcare technology can affect patient care. The risk of including third-party software components in healthcare technologies can be managed, in part, by leveraging a software bill of materials (SBOM). Analogous to an ingredients list on...

참고문헌 (64)

  1. 1. Cyber Security & Infrastructure Security Agency. Critical infrastructure sectors. https://www.dhs.gov/cisa/critical-infrastructure-sectors (2015). 

  2. 2. U.S. Department of Health and Human Services. HITECH Act Enforcement Interim Final Rule. https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html (2009). 

  3. 3. Slotwiner D HRS Expert Consensus Statement on remote interrogation and monitoring for cardiovascular implantable electronic devices Heart Rhythm 2015 12 e69 e100 10.1016/j.hrthm.2015.05.008 25981148 

    상세보기 crossref

  4. 4. National Telecommunications and Information Administration (NTIA) use cases and state of practice working group. Roles and Benefits for SBOM Across the Supply Chain. https://www.ntia.gov/files/ntia/publications/ntia_sbom_use_cases_roles_benefits-nov2019.pdf (2019). 

  5. 5. National Audit Office. Investigation: WannaCry Cyber Attack and the NHS. https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf (2017). 

  6. 6. Woods, B. & Bochman, A. Supply Chain in the Software Era . https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/supply-chain-in-the-software-era/ (2018). 

  7. 7. Merck & Co, Inc. Merck announces second-quarter 2017 financial results. https://www.merck.com/news/merck-announces-second-quarter-2017-financial-results/ (2017). 

  8. 8. Greenber, A. The untold story of NotPetya, the most devastating cyberattack in history. Wired . https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ (2018). 

  9. 9. A. P. Møller–Mærsk A/S. 2017 Annual Report . http://investor.maersk.com/static-files/250c3398-7850-4c00-8afe-4dbd874e2a85 (2018). 

  10. 10. Arhippainen, L., for the VTT Technical Research Centre of Finland. Use and Integration of Third-Party Components in Software Development . VTT Publications 489. http://www.vtt.fi/inf/pdf/publications/2003/P489.pdf (2003). 

  11. 11. Synopsis. 2018 Open Source Security and Risk Analysis (OSSRA) Report . https://www.blackducksoftware.com/open-source-security-risk-analysis-2018 (2018). 

  12. 12. Software Assurance Forum for Excellence in Code (SAFECode). Managing Security Risks Inherent in the Use of Third-Party Components . https://safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf (2017). 

  13. 13. Reuters. Cyber attack hits 200,000 in at least 150 countries: Europol. https://www.reuters.com/article/us-cyber-attack-europol/cyber-attack-hits-200000-in-at-least-150-countries-europol-idUSKCN18A0FX (2017). 

  14. 14. Microsoft. Microsoft Security Bulletin MS17-010–Critical . https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 (2017). 

  15. 15. Abdollah, T. Hackers broke into hospitals despite software flaw warnings. https://apnews.com/86401c5c2f7e43b79d7decb04a0022b4 (2016). 

  16. 16. Cyber Security & Infrastructure Security Agency. ICS Advisory (ICSMA-18-088-01): Philips iSite/IntelliSpace PACS Vulnerabilities (Update A) . https://www.us-cert.gov/ics/advisories/ICSMA-18-088-01 (2018). 

  17. 17. Cyber Security & Infrastructure Security Agency. ICS Advisory (ICSMA-16-089-01): CareFusion Pyxis SupplyStation System Vulnerabilities . https://www.us-cert.gov/ics/advisories/ICSMA-16-089-01 (2017). 

  18. 18. Rios, B. & Butts, J. Security Evaluation of the Implantable Cardiac Device Ecosystem Architecture and Implementation Interdependencies . https://a51.nl/sites/default/files/pdf/Pacemaker Ecosystem Evaluation.pdf (2017). 

  19. 19. Leitner PM Japan’s post-war economic success: deming, quality, and contextual realities J. Manag. Hist. 1999 5 489 505 

  20. 20. Womack JP Jones DT How to root out waste and pursue perfection Harv. Bus. Rev. 1996 74 140 172 

  21. 21. Stern G Preparing for the next cyber storm: are you ready? Biomed. Instrum. Technol. 2019 53 412 419 10.2345/0899-8205-53.6.412 31765579 

    상세보기 crossref

  22. 22. Leblang, D. B. & Levine, P. H. Software Configuration Management (eds Estublier, J.) (Springer-Verlag, 1993). 

  23. 23. Schmidt, R. & Duffy, T. Non-interfering software distribution. In Proceedings of the DASIA 97 Meeting on Data Systems in Aerospace, Seville, Spain, 26-29 May, 1997 . (ed. Guyenne, T.-D.) ESA SP-409, 351–358 (European Space Agency, Paris, 1997). 

  24. 24. Fangman, P. M., Gerhardstein, L. H. & Homer, B. J. Federal Emergency Management Information System (FEMIS): Bill of Materials (BOM) for FEMIS, version 1.4.5 . No. PNL-10689-Ver. 1.4.5. (Pacific Northwest National Laboratory, Richland, WA, 1998). 

  25. 25. Nordquist P Petersen A Todorova A License tracing in free, open, and proprietary software J. Comput. Sci. Coll. 2003 19 101 112 

  26. 26. Martin, R. A. Visibility & control: addressing supply chain challenges to trustworthy software-enabled things. 2020 IEEE Systems Security Symposium (SSS), Crystal City, VA, USA, 1–4. https://ieeexplore.ieee.org/document/9174365 (2020). 

  27. 27. Martin, R. A. Assurance for cyberphysical systems: addressing supply chain challenges to trustworthy software-enabled things. 2020 IEEE Systems Security Symposium (SSS), Crystal City, VA, USA, 1–5 https://ieeexplore.ieee.org/document/9174201 (2020). 

  28. 28. Sparrell, D. Cyber-safety in healthcare IOT. 2019 ITU Kaleidoscope: ICT for Health: Networks, Standards and Innovation (ITU K), Atlanta, GA, USA, 10.23919/ITUK48006.2019.8996148 (2019). 

  29. 29. Geer D Corman J Almost too big to fail Login 2014 39 66 68 

  30. 30. Financial Services Information Sharing and Analysis Center (FS-ISAC) Third-Party Software Security Working Group. Appropriate Software Security Control Types for Third Party Service and Product Providers . https://drive.google.com/file/d/1vm3JwEtAJqjpRPXoSgY99ijWIBcSSaSz/view (undated). 

  31. 31. FS-ISAC Third Party Software Security Working Group. Appropriate Software Security Control Types for Third-Party Service and Product Providers . Version 2.3. https://www.fsisac.com/hubfs/Resources/FSISAC-ThirdPartySecurityControlTypes-Whitepaper_2015.pdf (2015). 

  32. 32. NTIA. Transcript, Multistakeholder Meeting on Software Component Transparency, Part 1. https://www.ntia.doc.gov/files/ntia/publications/july_19_ntia_-_part_1_transcript.pdf (2018). 

  33. 33. NTIA. Multistakeholder Meeting on Software Component Transparency, Webcast Archive. Part 1. https://www.ntia.doc.gov/other-publication/2018/webcast-archive-071918-meeting-promoting-software-component-transparency (2018). 

  34. 34. Energy Sector Control Systems Working Group (ESCSWG). Cybersecurity Procurement Language for Energy Delivery Systems . https://www.energy.gov/sites/prod/files/2014/04/f15/CybersecProcurementLanguage-EnergyDeliverySystems_040714_fin.pdf (2014). 

  35. 35. Mayo Clinic. Medical and research device risk assessment vendor packet instructions. https://www.mayoclinic.org/documents/medical-device-vendor-instructions/doc-20389647 (2020). 

  36. 36. Open Web Application Security Project (OWASP). Security by design principles. https://www.owasp.org/index.php/Security_by_Design_Principles (2016). 

  37. 37. CycloneDX.org. CycloneDX implementations. https://cyclonedx.org/#implementations (2020). 

  38. 38. GitHub.com. Exploring the dependencies of a repository. https://help.github.com/en/github/visualizing-repository-data-with-graphs/listing-the-packages-that-a-repository-depends-on (2019). 

  39. 39. GitHub.com. About security alerts for vulnerable dependencies. https://help.github.com/en/github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies (2019). 

  40. 40. GitHub.com. Configuring Dependabot security updates. https://help.github.com/en/github/managing-security-vulnerabilities/configuring-automated-security-updates (2019). 

  41. 41. OWASP. OWASP Dependency-Check. https://owasp.org/www-project-dependency-check/ (2019). 

  42. 42. Promenade Software. Automated vulnerability alerts for embedded Linux. https://promenadesoftware.com/blog/automated-vulnerability-alerts-embedded-linux (2016). 

  43. 43. National Electrical Manufacturers Association (NEMA). American National Standard: Manufacturer Disclosure Statement for Medical Device Security. ANSI/NEMA HN 1-2019 . https://www.nema.org/Standards/view/Manufacturer-Disclosure-Statement-for-Medical-Device-Security (2019). 

  44. 44. NTIA. NTIA software component transparency. https://www.ntia.doc.gov/SoftwareTransparency (2020). 

  45. 45. Stockhausen, H. B. & Rose, M. W. Continuous security patch delivery and risk management for medical devices. 2020 IEEE International Conference on Software Architecture Companion (ICSA-C), Salvador, Brazil. 10.1109/ICSA-C50368.2020.00043 (2020). 

  46. 46. Koninklijke Philips N. V. Position Paper: Committed to Proactively Addressing Our Customers’ Security and Privacy Concerns . https://images.philips.com/is/content/PhilipsConsumer/Campaigns/HC20140401_DG/Documents/Philips_Cybersecurity_Position_Paper_20180306.pdf (2018). 

  47. 47. Siemens Medical Solutions USA, Inc. Cybersecurity: Protecting healthcare institutions against cyberthreats. https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity (2020). 

  48. 48. Health Care Industry Cybersecurity Task Force. Report on Improving Cybersecurity in the Health Care Industry . https://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf (2017). 

  49. 49. Walden, G. & Pallone, F. Jr. Letter from the House Committee on Energy and Commerce to Acting Secretary, US Department of Health and Human Services. https://republicans-energycommerce.house.gov/wp-content/uploads/2017/11/20171116HHS.pdf (2017). 

  50. 50. Madara, J. L. Letter from the American Medical Association to the House Committee on Energy and Commerce on cybersecurity and the use of legacy technologies in health care. https://searchlf.ama-assn.org/undefined/documentDownload?uri=/unstructured/binary/letter/LETTERS/2018-5-24-Letter-to-Walden-Pallone-re-Draft-Cybersecurity-Response-to-EC-RFI.pdf (2018). 

  51. 51. US Food and Drug Administration (FDA). Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health . https://www.fda.gov/media/112497/download (2019). 

  52. 52. FDA. Content of Premarket Submissions for Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff . https://www.fda.gov/media/86174/download (2014). 

  53. 53. FDA. Content of Premarket Submissions for Management of Cybersecurity in Medical Devices: Draft Guidance for Industry and Food and Drug Administration Staff . https://www.fda.gov/media/119933/download (2018). 

  54. 54. US Code of Federal Regulations, Title 21, CFR 820.50. Purchasing controls. https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfCFR/CFRSearch.cfm?fr=820.50 (2019). 

  55. 55. FDA. Cybersecurity for Networked Medical Devices Containing Off the-Shelf (OTS) Software . https://www.fda.gov/media/72154/download (2005). 

  56. 56. FDA. Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff . https://www.fda.gov/media/95862/download (2016). 

  57. 57. FDA. FDA Fact Sheet: The FDA’s Role in Medical Device Cybersecurity . https://www.fda.gov/media/123052/download (2017). 

  58. 58. FDA. Deciding When to Submit a 510 (k) for a Software Change to an Existing Device: Guidance for Industry and Food and Drug Administration Staff . https://www.fda.gov/media/99785/download (2017). 

  59. 59. FDA. Distinguishing Medical Device Recalls from Medical Device Enhancements: Guidance for Industry and Food and Drug Administration Staff . https://www.fda.gov/media/89909/download (2014). 

  60. 60. NTIA. Software Component Transparency: Healthcare Proof of Concept Report . https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf (2019). 

  61. 61. Ross, R., McEvilley, M., & Oren, J. C. Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems , vol. 1. NIST Special Publication 800-160, 10.6028/NIST.SP.800-160v1 (2018). 

  62. 62. International Medical Device Regulators Forum, Medical Device Cybersecurity Working Group. Principles and Practices for Medical Device Cybersecurity . http://imdrf.org/docs/imdrf/final/technical/imdrf-tech-200318-pp-mdc-n60.pdf (2020). 

  63. 63. Health Canada. Guidance Document: Pre‐market Requirements for Medical Device Cybersecurity . https://www.canada.ca/content/dam/hc-sc/documents/services/drugs-health-products/medical-devices/application-information/guidance-documents/cybersecurity-guidance.pdf (2019). 

  64. 64. Medical Device Coordination Group. MDCG 2019-16 Guidance on Cyber Security for Medical Devices . https://ec.europa.eu/health/sites/health/files/md_sector/docs/md_cybersecurity_en.pdf (2019). 

관련 콘텐츠

오픈액세스(OA) 유형

GOLD

오픈액세스 학술지에 출판된 논문

이 논문과 함께 이용한 콘텐츠

저작권 관리 안내
섹션별 컨텐츠 바로가기

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

AI-Helper 아이콘
AI-Helper
안녕하세요, AI-Helper입니다. 좌측 "선택된 텍스트"에서 텍스트를 선택하여 요약, 번역, 용어설명을 실행하세요.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.

선택된 텍스트

맨위로