By Zac Amos, Features Editor, ReHack
LinkedIn:Â Zachary Amos
LinkedIn:Â ReHack Magazine
Cyberattacks on medical devices pose uniquely dangerous threats, facilitating data loss, enabling malfunction and risking lives. However, a software bill of materials is an important requirement that reduces these issues.
What Is a Software Bill of Materials?
A software bill of materials (SBOM) is a comprehensive inventory of components and dependencies. These documents typically contain component-related details, including:
- Suppliers
- Versions
- Names
- Licenses
They also differentiate between proprietary and open-source aspects. The licensing specifics encompass rights for usage, modification and distribution.
SBOMs list dependencies to illustrate the interdependence of various components for expected functionality. That information could help people assess the likely impacts of cyberattacks once they identify the root causes.
These documents also contain administrative details, such as authors and the date of the most recent update. That information creates accountability and ensures relevance.
Experts suggest treating SBOMs as living documents and defining how updates must occur. Additionally, IT decision-makers assessing the content before recommending whether to use medical devices should recognize the possibilities of information gaps and inaccuracies.
How Do SBOMs Affect Medical Device Cybersecurity?
SBOMs support proactive cybersecurity postures by highlighting potential vulnerabilities and giving professionals time to patch them before hackers exploit them. Similarly, their content eliminates a lack of stakeholder awareness that helps cybercriminals wreak more havoc after finding entry points.
Doctors working for organizations where administrators examine SBOMs during the medical device selection process may feel more confident in recommending specific products to patients. Health care tests and treatments cost billions each year in the United States. However, some wearables give real-time wellness statistics and could reduce unnecessary interventions.
Does the FDA Require SBOMs for Medical Devices?
The Food and Drug Administration mandates SBOMs under the Omnibus Act, which was made law on December 22, 2022. A specific section concerns medical device cybersecurity and amends the Federal Food, Drug and Cosmetic Act. The portion relevant to SBOMs requires manufacturers to create documents listing the products’ commercial, off-the-shelf and open-source components.
Moreover, a proposed FDA update concerns premarket submissions and assesses whether submitted devices have appropriate defenses against potential cyberattacks. It requires that manufacturers take a secure-by-design approach and accompany their SBOMs with vulnerability and unresolved anomaly assessments. The regulator established a public comment period for those changes, which closed on May 14, 2024.
How Do SBOMs Impact Health Care Organizations’ Cybersecurity?
Modern hospitals and similar facilities use thousands of connected medical devices to achieve patient care goals. However, IT teams know this proliferation expands attack surfaces, allowing criminals to compromise networks, threaten lives and disrupt critical operations more easily.
A 2023 analysis also suggested cyber intruders view health care sites as increasingly attractive targets. It identified 46 ransomware attacks on hospital systems, directly affecting at least 141 locations. There were 25 such incidents during the previous year, confirming perpetrators have ramped up their efforts.
Elsewhere, a 2025 study of over 600 health executives in the United States, the United Kingdom and Germany revealed these leaders increasingly face pressures linked to device security. The results showed that 78% consider SBOMs essential or important to their procurement choices.
Additionally, 46% have declined purchases due to cybersecurity concerns. Despite precautions, 22% of organizations experienced cyberattacks directly impacting medical devices. Three-quarters of those in the segment affected care, and 24% required moving patients to other facilities.
Providing up-to-date SBOMs when responding to proposal requests gives manufacturers a competitive edge in a challenging market. These documents highlight a cybersecurity emphasis and improve visibility. The information within supports leaders in making well-informed choices.
Securing Critical Medical Devices
Connected products in health care settings enhance monitoring, improve diagnostics and boost positive outcomes. However, carefully planned cyberattacks steal personal data, eliminate access to vital systems and risk lives.
Proactive IT departments should view SBOMs as important for reducing threats through improved visibility. Referring to them before implementing security patches or infrastructural updates can minimize negative consequences. Additionally, these documents streamline procurement, helping leaders assess issues and their potential impacts on organizations. All connected products include some cyber dangers. However, heightened awareness heightens preparedness.