November 22, 2022

What Is a Medical Device Software Bill of Materials (SBOM)?

Despite TV shows depicting dramatic attacks on patient pacemakers and insulin pumps, those cases are thankfully uncommon. Kevin Fu, former acting director of medical device cybersecurity at the FDA Center for Devices and Radiological Health (CDRH), noted in an interview that “The greatest cybersecurity risk today is unavailability, because a medical device unavailable to deliver patient care is not safe and effective.” That makes total sense. Ransomware hacks that target and disable or disrupt access to an entire class of medical devices are the real threat today, and that problem will only get worse as software gets more out of date and more connected to the internet.

Many legacy medical devices used in hospitals and labs are sitting ducks unaware that hunting season is in full swing. Thousands of these devices ‒ often connected to hospital networks via wi-fi, Bluetooth, or ethernet cables ‒ contain outdated hardware, drivers, software, and protocols that make them easy targets for hackers looking to exploit vulnerabilities. Often, the intent of hackers, albeit nefarious, is not to inflict physical harm on patients but to extract money from hospitals that can afford to pay and don’t want the press getting wind of the fact that their moat has been breached.

SBOM: A System of Tracking Software Used in Medical Devices

The software and hardware that make up today’s connected devices are often developed by a potpourri of programmers and development firms. While larger medical device manufacturers have a deep pool of software and cybersecurity engineering talent on staff, that’s not typically true for smaller medical device companies that rely on the programming prowess of third-party software developers whom they hope did a good job protecting their devices from intrusion. That software might be a mix of open-source, licensed, and custom-code developed by several firms and that’s where the software bill of materials (SBOM) comes into play.

The SBOM is a standardized listing of all software components included in a medical device, and it can be a powerful way to mitigate the damage caused by cybersecurity intrusions. The SBOM ‒ also referred to as a cybersecurity bill of materials (CBOM) ‒ is much more than a paper record of components. It can be used in concert with a software analysis tool to automatically scan for open-source software vulnerabilities and versions. The general idea is that manufacturers need to be ready to patch and update software quickly as vulnerabilities are discovered instead of operating in “firefighting” mode. A complete SBOM for each component should include:

Component name
Version
Software manufacturer
Level of support provided by software manufacturer
End-of-support date
Any known vulnerabilities

Examples of information that should be included in an SBOM can be found in Appendix G (page 43) of the Medical Device and Health IT Joint Security Plan.

The PATCH Act

The importance of cybersecurity has reached the highest levels of government. As of late 2023, US Congress was still considering the Protecting and Transforming Health Care Act (PATCH Act). If passed and signed by the president, it would mandate the following “The manufacturer shall furnish to the Secretary a software bill of materials, including commercial, open-sourced, and off-the-shelf software components that will be provided to users.”

Furthermore, in accordance with the PATCH Act, the CDRH would have the power to deny issuance of a 510(k) if the manufacturer has not taken adequate steps to ensure cybersecurity. The proposed act reads:

In making a determination of substantial equivalence under section 513(i) for a cyber device, the Secretary may: (1) find that cybersecurity information for the cyber device described in the relevant premarket submission in the cyber device’s use environment is inadequate; and (2) issue a nonsubstantial equivalence determination based on this finding.

While the proposed mandate for SBOMs may seem like another compliance hurdle, it should instead be embraced as a collective effort by government and industry to make devices more resilient to threats. A software bill of materials helps risk management efforts by identifying devices that contain software that might be susceptible to cybersecurity threats.

FDA Cybersecurity Guidance

The increasing cybersecurity risks to medical device manufacturers can be attributed to a variety of factors, including the blissful ignorance of manufacturers who “don’t know what they don’t know.” Fortunately, FDA is not naive to the threats posed by hackers and has released a flurry of cybersecurity and software documents recently. In fact, the first guidance document below recommends (i.e., you’d be foolish not to do so) that you make SBOMs part of your software development efforts and part of your design history file and design master record documentation.

Here are some relevant FDA documents to download:

Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (September 2023)
Best Practices for Communicating Cybersecurity Vulnerabilities to Patients (October 2021)
Strengthening Cybersecurity Practices Associated with Servicing of Medical Devices (August 2021)
Off-The-Shelf Software Use in Medical Devices (September 2019)
Postmarket Management of Cybersecurity in Medical Devices (December 2016)

In addition, FDA sponsored a report published by MITRE and the Medical Device Innovation Consortium (MDIC) titled, “Playbook for Threat Modeling Medical Devices,” which was released in late 2021. While the 91-page document does not discuss software bill of materials, it provides valuable examples and insights on how to do cybersecurity threat modeling.

What’s Next for Medical Device Cybersecurity?

Nobody knows and that’s the point. New threats will always be concocted by hackers who have the skills needed to find vulnerabilities and exploit them. What they don’t have is an infinite amount of time to break in so they’re always looking for the old car with easy-to-pick locks. Diligent manufacturers who make it harder to penetrate their software are more likely to be skipped over by lazy hackers searching for easy targets. Until someone comes up with a cybersecurity crystal ball, the bill of materials will be yet another weapon well-prepared manufacturers can use to reduce the chances of a disastrous intrusion.

Want to Learn More?

There’s certainly more to learn and we’ve got you covered. Oriel STAT A MATRIX offers training on medical device cybersecurity regulations and standards along with a variety of other software classes geared specifically toward medical device regulatory compliance. Need more customized support? Our team can also fully assist with FDA and EU compliance issues.