Have you been staying updated on the latest medical device news? Are you aware of the recently proposed legislation for the healthcare vertical? If so, you've likely come across the term Software Bill of Materials or SBOM (pronounced "S-bomb"). This blog will cover what an SBOM is and its importance in your vendor risk management program.
Understanding What an SBOM Is in Healthcare
A Software Bill of Materials is often described as a "list of ingredients" for all the software components used in creating devices, including medical devices. It lists the types of open-sourced and proprietary code used to create a device's software program and the dependencies that the software needs. An SBOM also details the versions of each of these software components in addition to whether proper software licensing has been applied or if licenses should be applied.
Using SBOMs to Identify Vulnerabilities in Vendor Risk Management
SBOMs are used in conjunction with a vulnerability database (i.e., The National Vulnerability Database or the MITRE CVE Program). In vendor risk management, an SBOM is a useful tool for identifying medical device's type attack risks. By knowing the device's software components and their versions, your vendor risk assessment team can identify their vulnerabilities.
An SBOM helps identify the inherent risk a medical device presents without implementing any controls. Your team can then determine the necessary controls to mitigate vendor risk once the inherent risks have been identified. Once those mitigations have been implemented, you can make informed, risk-based decisions as you continuously monitor and mitigate vendor risk.
Sometimes, mitigation isn't possible. In these instances, your organization needs to know if the specific medical device's vulnerabilities are a deal breaker or not. Especially when considering software supply chain attacks, which are a major threat to healthcare organizations, it’s better to know about any vulnerabilities or unpatched weaknesses before purchasing a product.

Requesting an SBOM from a Vendor
You should request an SBOM as part of the vendor's medical device risk assessment. Remember that no current regulation requires manufacturers to provide SBOMs and not every manufacturer voluntarily issues an SBOM with their medical devices. Therefore, it’s best to make this request directly. Additionally, the process of creating and documenting SBOMs doesn't have a set standard; however, if the vendor doesn’t have an SBOM for the device, you should ask them to generate one.
Luckily, there are legislative proposals and standardized frameworks in progress. For example, organizations such as the National Telecommunications and Information Administration and the Cybersecurity and Infrastructure Security Agency are working together to establish standards. Other organizations, including MITRE, have been developing ways for SBOMs to be integrated into supply chain initiatives and frameworks. Until set standards and regulations exist for SBOMs, you should be prepared to ask for an SBOM when conducting risk assessments for your medical devices.
PRO TIP: SBOMs can come in three distinct formats – SPDX, CycloneDX, and SWID. None of these formats are particularly user-friendly, so, usually there is a learning curve. However, an SBOM's benefits make the learning process worthwhile for many organizations. And, when requesting an SBOM, you can always ask your manufacturer if their SBOM can be provided in a more accessible format (e.g., HTML, PDF, or CSV file).
SBOMs can be a great tool to provide transparency into the risks associated with your medical devices for your vendor risk management team. Though your manufacturers aren't required to follow any set requirements or standards for SBOMs, the benefits of increased visibility into your medical devices' software are invaluable. In addition, it can help your organization to identify any hidden risks and protect your organization's and your patients' private data.