CBOM & SBOM in MedTech Cybersecurity

Update April 16, 2025

In the intricate world of medical device cybersecurity, there’s a growing focus on two critical elements: the Cybersecurity Bill of Materials (CBOM) and the Software Bill of Materials (SBOM). Though rich in technicality, these components play a pivotal role in ensuring the safety and efficacy of medical devices. As we navigate the nuances of these terms, understanding their interrelation and significance becomes vital, especially in light of the stringent requirements set forth by the U.S. Food and Drug Administration (FDA). This exploration aims to shed light on these concepts, offering clarity and insight into their roles in fortifying medical device cybersecurity.

Unraveling the SBOM: The Foundation of Device Security

What is an SBOM?

At its core, an SBOM is a detailed inventory. It lists every software component in a medical device, from the operating system to the smallest library or module. It’s akin to a chef meticulously listing every ingredient in a recipe, ensuring nothing is overlooked. This includes:

• Operating systems
• Commercial software
• Open-source components
• Internal custom-developed software

Why the SBOM is Critical

• Vulnerability Management: The healthcare sector is increasingly targeted by cyber threats. An SBOM allows manufacturers and healthcare providers to quickly identify if they use software containing known vulnerabilities, thereby facilitating timely remedial action.
• Software Transparency: It offers a transparent view of what’s inside a device’s software. This is crucial for trust and assurance, particularly in devices critical to patient health and safety.
• Regulatory Compliance: Regulatory bodies, like the FDA, increasingly recognize the importance of SBOMs. They are moving towards making SBOMs a standard requirement, pushing for greater transparency in the software supply chain.
• Life Cycle Management: A medical device’s life doesn’t end at sale. SBOMs are key in maintaining and managing the device, particularly in patching software and updating systems.

Challenges and Considerations in Creating an SBOM

Creating and maintaining an accurate SBOM for medical devices is essential—but it comes with several nuanced challenges that organizations must address:

Component Complexity

Modern medical devices rely on thousands of software components, including open-source libraries, third-party modules, and proprietary code. Cataloging these components and their versioning, licensing, and dependencies is a highly detailed and resource-intensive task. The complexity increases when integrating legacy systems or components with opaque supply chains.

Continuous Change and Lifecycle Management

Software environments are constantly evolving. Components are regularly patched, upgraded, or deprecated, which means an SBOM must be treated as a living document. Maintaining SBOM accuracy requires robust processes for real-time updates, integration with CI/CD pipelines, and alignment with ongoing software maintenance and postmarket surveillance activities.

Security Perception vs. Practical Transparency

While SBOMs are meant to enhance transparency and vulnerability management, some organizations mistakenly fear that sharing them might expose sensitive intellectual property or give attackers an advantage. In reality, a well-structured SBOM includes non-sensitive metadata—such as component names, versions, and sources—not proprietary algorithms or source code. The key challenge is educating stakeholders on the true value and safe sharing practices of SBOMs, especially when balancing regulatory disclosure with internal security policies.

Real-World Example: SBOM in Action for Smart Infusion Pumps

Imagine a hospital deploying a network of smart infusion pumps across its intensive care units. Each pump runs on proprietary software, third-party modules, open-source libraries, and an embedded operating system—all documented in its SBOM.

An SBOM for each pump would include critical details such as:

• The embedded operating system (e.g., Linux kernel version)
• Encryption libraries used to protect patient data during transmission (e.g., OpenSSL)
• Network communication stacks responsible for connecting to electronic health records (EHR) or hospital monitoring systems
• Any third-party drivers or firmware required for the device’s functionality

Now, imagine a new vulnerability is disclosed in a specific version of OpenSSL. Thanks to the SBOM, the hospital’s cybersecurity team can immediately search its asset inventory to identify which infusion pumps include the affected version. This enables:

• Rapid identification of impacted devices
• Prioritization of patching or mitigation efforts
• Communication with the manufacturer for verified updates or workarounds
• Compliance documentation showing proactive vulnerability management, aligning with FDA postmarket cybersecurity guidance

Without an SBOM, this process would involve manual audits, guesswork, and potentially dangerous delays. With it, the hospital significantly reduces the time to detect and respond, protecting patient safety and operational continuity.

Statistical Backdrop

According to a 2023 report by Armis, a leading asset visibility and security company, 27% of infusion pumps—essential devices for delivering fluids to patients—have at least one unpatched critical vulnerability. Additionally, 30% of these devices possess other unpatched vulnerabilities. These figures highlight the significant security risks of connected medical devices in clinical environments. ​

This data emphasizes the importance of maintaining an up-to-date and comprehensive SBOM. An SBOM enables healthcare organizations to quickly identify and address vulnerabilities in their medical devices, ensuring timely patching and mitigation efforts to protect patient safety and maintain operational integrity.

SBOMs provide a detailed inventory of every software component in a medical device, including versions, sources, and dependency relationships. When new vulnerabilities are disclosed—whether in an operating system, encryption library, or communication protocol—the SBOM allows manufacturers, healthcare providers, and security teams to:

• Quickly identify affected devices
• Assess the scope and severity of exposure
• Implement targeted patching or mitigation strategies
• Coordinate efficiently with vendors and supply chain partners
• Demonstrate proactive risk management to regulators like the FDA

Without an SBOM, organizations are left to manually audit devices, which is time-consuming, error-prone, and often too slow to keep up with fast-moving threats. As healthcare environments become more connected, SBOMs are foundational in vulnerability management, regulatory compliance, and patient safety.

SBOM Thoughts

An SBOM is not just a list; it’s a crucial tool in the cybersecurity arsenal for medical devices. It enables proactive vulnerability management, ensures regulatory compliance, aids in lifecycle management, and upholds the safety and trust in medical technology. As we navigate the complexities of medical device security, the role of the SBOM will only grow in significance, making it an indispensable component in the quest for a secure and resilient healthcare ecosystem.

The Rise of the CBOM: Beyond Software

As we delve deeper into the cybersecurity landscape of medical devices, the emergence of the Cybersecurity Bill of Materials (CBOM) becomes increasingly prominent. While the SBOM focuses on software elements, the CBOM expands this view, offering a more comprehensive lens through which we can understand and secure our medical devices. But what exactly is a CBOM, and why is it rising in importance?

Understanding the CBOM

A CBOM essentially extends the SBOM concept. It goes beyond just software components to encompass all elements related to cybersecurity within a medical device. This includes:

• Hardware components: From chips and processors to sensors and network interfaces.
• Firmware: The semi-permanent software programmed into the hardware.
• External dependencies: Cloud services, external data sources, or third-party services.
• Network architecture: Details about how the device connects and communicates within a network.
• Data flows: How data is transmitted, stored, and processed within the device ecosystem.

Why the Cybersecurity Bill of Materials (CBOM) is Gaining Traction

As medical devices become more connected and complex, the traditional SBOM is evolving into something more comprehensive—the CBOM. A CBOM extends beyond software, offering a full-spectrum view of all digital, firmware, and communication elements that influence a device’s cybersecurity posture. Here’s why the CBOM is emerging as a critical asset in the industry:

Holistic Security View

A CBOM provides a top-down, system-wide view of a medical device’s digital architecture. It doesn’t just list software components—it maps out firmware, communication protocols, runtime environments, and dependencies that influence how the device functions and interfaces with other systems. This bird’s-eye perspective enables cybersecurity and engineering teams to understand not just what the device is made of, but how those components interact and create potential security risks.

Supply Chain Transparency

Modern medical devices often depend on a global and multi-tiered supply chain, incorporating components from various vendors and third-party developers. A CBOM offers visibility into the origin and integrity of each component, making it easier to assess and mitigate risks associated with inherited vulnerabilities, compromised components, or lack of vendor support. In an era of rising supply chain attacks, this transparency is critical for both prevention and accountability.

Regulatory Adherence

Regulatory bodies such as the FDA, EU MDR, and global agencies increasingly emphasize comprehensive cybersecurity documentation. A CBOM aligns with these expectations by demonstrating that a manufacturer understands their device’s cybersecurity surface area. As guidance like the FDA’s Premarket Cybersecurity Guidance becomes more detailed, the CBOM is a foundational artifact to show preparedness, due diligence, and compliance.

Risk Management and Incident Response

A CBOM allows for fast, accurate, and targeted response in a cybersecurity incident. By detailing all components—software, firmware, and interfaces—a CBOM enables teams to:

• Quickly identify vulnerable elements
• Assess interdependencies
• Prioritize remediation efforts
• Communicate effectively with stakeholders and regulators

This proactive visibility turns a reactive scramble into a structured and informed response, helping reduce downtime, preserve patient safety, and protect brand integrity.

CBOM in Practice: A Real-World Scenario

Consider a smart insulin pump—a connected medical device designed to automatically deliver insulin doses and transmit patient data to cloud-based monitoring systems. Like many modern devices, it comprises hardware components, embedded software, wireless communication protocols, and third-party integrations.

A CBOM for this device would provide a comprehensive inventory of all its digital and physical elements. This includes:

• The Bluetooth Low Energy (BLE) module used for wireless connectivity with mobile apps or clinician systems
• The firmware version running on the device’s microcontroller
• Encryption libraries securing patient data during transmission
• The API endpoints and cloud infrastructure used to store and sync patient health information
• Open-source or third-party libraries embedded in the device’s control software

Now, imagine that a critical vulnerability is discovered in the Bluetooth protocol—perhaps a flaw that allows unauthorized access to nearby devices without user interaction. Without a CBOM, identifying whether this insulin pump uses the affected version would require a time-consuming, manual audit of technical documentation or even device firmware.

With a CBOM in place, the manufacturer or healthcare provider can:

• Immediately verify whether the vulnerable Bluetooth stack is present
• Understand how it connects to other components, such as patient apps or cloud systems
• Assess the potential impact on patient safety, data integrity, and compliance obligations
• Initiate a targeted mitigation strategy, which could include issuing a firmware patch, disabling certain features temporarily, or notifying affected users
• Provide regulators with a clear, documented cybersecurity response plan

This rapid, informed response minimizes risk to patient safety, regulatory exposure, and reputation—demonstrating the real-world value of CBOMs in today’s dynamic threat environment.

Challenges in Implementing a CBOM

As medical devices become more sophisticated and interconnected, the need for a CBOM is growing. However, its implementation presents a unique set of challenges beyond traditional SBOMs. Here’s a closer look at the key obstacles organizations face when building and maintaining a CBOM:

Complexity and Granularity

Unlike an SBOM, which primarily catalogs software components, a CBOM encompasses a broader, multi-layered ecosystem that includes hardware modules, embedded firmware, communication protocols, APIs, and runtime configurations. Capturing this level of detail requires a cross-functional approach involving engineering, security, procurement, and vendor management teams. Mapping out the cybersecurity posture of each component—while accounting for versioning, interdependencies, and lifecycle status—is a highly complex and resource-intensive effort.

Continuous Evolution and Maintenance

Medical devices are not static. Firmware updates, software patches, hardware revisions, and third-party library changes all impact the integrity of the CBOM. Like SBOMs, CBOMs must be treated as living documents, continuously updated throughout the device lifecycle—from design and development to postmarket surveillance. This demands automated tooling, robust configuration management, and integrated update workflows to ensure the CBOM remains accurate and actionable.

Balancing Transparency with Security

While a CBOM should provide enough detail to support vulnerability management and regulatory compliance, over-disclosure can create new risks. For instance, exposing detailed information about communication stacks or encryption libraries could help attackers identify exploitable entry points. Organizations must strike a careful balance—providing sufficient transparency for internal teams and regulators while safeguarding sensitive implementation details that could be weaponized if disclosed externally. Role-based access and tiered documentation strategies are increasingly used to manage this challenge.

Statistical Perspective: The Case for CBOM

A recent survey by the Healthcare Information and Management Systems Society (HIMSS) revealed that over 75% of healthcare organizations experienced at least one significant cybersecurity incident within the past year. These incidents often involved data breaches, ransomware attacks, and exploitation of vulnerabilities in network-connected medical devices. The rise in such events threatens patient safety and operational continuity and underscores a critical need for greater visibility and control over the cybersecurity posture of medical technologies.

This is where the CBOM becomes indispensable. A CBOM offers a detailed, system-level view of all digital components within a medical device—including hardware modules, firmware, communication protocols, and third-party software dependencies. With this level of insight, healthcare organizations can more effectively identify vulnerable assets, assess exposure in real-time, and respond swiftly to threats. As cyberattacks grow more sophisticated and regulators demand greater accountability, CBOMs are proving to be not just a best practice—but a foundational element of modern healthcare cybersecurity strategy.

CBOM Thoughts

The rise of the CBOM in medical device cybersecurity is a testament to the evolving nature of cyber threats and the need for more comprehensive security strategies. While implementing and maintaining a CBOM can be challenging, its role in ensuring the safety and security of medical devices is invaluable. As technology advances, the CBOM will become an increasingly essential tool in the cybersecurity toolkit, enabling a safer and more secure healthcare ecosystem.

The FDA’s Stance on SBOMs and CBOMs

The FDA plays a pivotal role in medical device cybersecurity. Their stance on SBOMs and CBOMs is particularly significant, shaping how manufacturers approach device security.

The FDA’s Perspective on SBOMs

The FDA has been increasingly vocal about the importance of SBOMs in medical device security. Their guidelines are steering the industry towards greater transparency and accountability. Here’s what they focus on:

• Premarket Transparency: The FDA recommends device manufacturers include an SBOM in their premarket submissions. This requirement ensures a device’s software components are well-documented and scrutinized for vulnerabilities before the product hits the market.
• Risk Assessment: An SBOM aids the risk assessment process by providing a clear picture of the software components. The FDA expects manufacturers to conduct thorough risk analyses, leveraging the information contained in the SBOM.
• Continuous Monitoring and Updating: The FDA’s guidance extends beyond the device’s initial approval. They emphasize the importance of maintaining an up-to-date SBOM throughout the device’s lifecycle, reflecting any software updates or changes.

The Emerging Importance of CBOMs

While the FDA has not yet formalized guidelines for CBOMs, their growing significance in cybersecurity is clear. The FDA’s overall approach to medical device security suggests that the CBOM will soon become integral to its regulatory focus. Key aspects include:

• Comprehensive Device Security: The FDA will likely favor a holistic approach to device security, where the CBOM comes in. It provides a complete view of a device’s cybersecurity profile, encompassing software and hardware components.
• Supply Chain Security: The FDA’s increasing attention to the security of the medical device supply chain aligns well with the CBOM concept. Manufacturers can better manage supply chain risks by understanding a device’s components.
• Adapting to Technological Advancements: As medical devices become more interconnected and reliant on complex technologies, the FDA’s guidelines are expected to evolve to address these changes. CBOMs could become a critical tool in this regard.

Conclusion

CBOMs and SBOMs in medical device cybersecurity constitute a cornerstone of the FDA’s regulatory framework. These components are not just checkboxes for compliance but fundamental tools that enhance medical devices’ safety, reliability, and trustworthiness. As technology evolves and cyber threats become more sophisticated, the roles of CBOMs and SBOMs will undoubtedly expand and become more intricate. For manufacturers and healthcare providers, staying informed and proactive in incorporating these elements is crucial. The FDA’s guidelines, while stringent, pave the way for a safer and more secure healthcare ecosystem. By embracing these guidelines, we advance into a future where medical devices are technologically advanced and securely designed to protect and preserve human health.

For more insightful and detailed discussions on the dynamic world of medical device cybersecurity, stay tuned to Blue Goat Cyber. Here, we continuously explore and unravel the complexities of cybersecurity, ensuring you’re always a step ahead in this vital and ever-evolving field.

Contact us if you need help with SBOM creation or medical device security.