In today’s interconnected healthcare landscape, medical devices are no longer just sophisticated hardware—they’re complex software-driven systems that process patient data, communicate across networks, and integrate with hospital infrastructure. This digital transformation has revolutionized patient care, but it has also introduced unprecedented cybersecurity risks that threaten patient safety and healthcare operations.

Today’s conditions also open up a ton of risk for device manufacturers. Between regulations to the reputational damage a major healthcare cyber attack can produce, the pressure is on. At the heart of addressing these vulnerabilities lies a seemingly simple yet powerful tool: the Software Bill of Materials (SBOM).

 

The Growing Threat Landscape in Healthcare

The statistics are sobering. According to Forescout’s Vedere Labs research that has been tracking medical device vulnerabilities since 2017, 80% of healthcare data breaches are now caused by cybercriminal activity with an alarming rate of 1.6 data breaches occurring daily across the healthcare sector. This represents a fundamental shift in the threat landscape, where cybersecurity has become as critical as the medical efficacy of devices themselves.

Last year, Vedere Labs released research on the persistent risks of connected medical devices and captured compelling data, including:

  • 1.6 million honeypot interactions
  • An attack every 20 seconds on average
  • 110 unique operating systems
  • 300 unique vendors
  • 286% growth in the exposure of DICOM medical imaging protocol

The stakes couldn’t be higher. When ransomware strikes healthcare networks, the consequences extend far beyond financial losses. Life-saving surgeries are postponed, patient monitoring reverts to manual processes, and critical insurance and billing systems become inoperative. In 2024 alone, ransomware attacks have repeatedly demonstrated their devastating impact on healthcare delivery, forcing hospitals to operate in crisis mode and potentially putting patient lives at risk.

 

Understanding the Software Supply Chain Challenge

To understand why SBOMs are essential, think about the complexity of modern software supply chains. Today’s devices rely on reusable open-source and third-party components, which are ubiquitous in software development. While these components reduce development time, lower costs, and often improve product quality, they also introduce hidden vulnerabilities that can be exploited by malicious actors.

Forescout’s research highlights that the software supply chain encompasses not just the code, binaries, and components that make software run, but everything that touches them throughout the development lifecycle—including authorship, security testing, version control, and licensing information.

“In looking at infusion pumps, for instance, we had 50% of vulnerabilities that were from the infusion pump manufacturer, and the other 50% were from the operating system, the TCP/IP stack, from different libraries that are used in that device,” said Dr. Daniel dos Santos, Head of Security Research at Vedere Labs in a recent webinar with Manifest Cyber. “But when we look at the number of impacted devices per type, actually more than 76% of [those] devices were impacted by supply chain vulnerabilities.”

When a software dependency contains a vulnerability, the products incorporating that dependency inherit the same security flaw, often without the manufacturer’s knowledge. This opacity in the supply chain has led to what researchers term “insecure-by-design” practices, particularly evident in operational technology and medical devices.

Go deeper: Watch our on-demand webinar “Patch It Up: Prescribing SBOMs for Healthcare’s Cyber Health” with Marc Frankel, CEO of Manifest Cyber and Dr. dos Santos.

 

Medical Device Vulnerabilities: Real-World Impact

The Internet of Medical Things (IoMT) presents particularly acute supply chain risks. These vulnerabilities exemplify how supply chain security issues in medical devices can escalate from data privacy concerns to life-threatening situations. When an implanted medical device can be ransomed or a patient monitoring system can be compromised, the intersection of cybersecurity and patient safety becomes undeniably clear.

Recent examples documented by Forescout underscore the severity of these threats:

Persistent Risk of Connected Medical Devices found critical unpatched vulnerabilities across DICOM workstations, medical pump controllers, and medical information systems. One-fifth (20%) of pump controllers had critical vulnerabilities with extreme exploitability.

Source: Forescout Research –Vedere Labs, 2024

Access:7 represents seven supply chain vulnerabilities affecting medical and IoT devices that, if exploited, could enable hackers to remotely execute malicious code, access sensitive patient data, or alter critical device configurations.

NUCLEUS:13 consists of thirteen vulnerabilities affecting the Nucleus TCP/IP stack used in safety-critical devices, including anesthesia machines and patient monitors—devices where security failures could directly impact patient safety.

 

SBOMs as the Foundation of Transparency

A Software Bill of Materials functions like a nutrition label for software, providing a comprehensive inventory of all components used in a software product. As Manifest Cyber explains, just as “the FDA wouldn’t allow food manufacturers to sell products without ingredient lists, medical devices should not be deployed without disclosing their software components.”

An effective SBOM catalogs all third-party, open-source, and proprietary code used in an application, complete with licensing data, versioning information, authorship details, and unique identifiers. This transparency enables stakeholders—from developers and vendors to customers, researchers, and regulators—to quickly identify, trace, communicate, and mitigate security risks.

The evolution of SBOM usage reflects the changing threat landscape. Historically, SBOMs were primarily used to manage intellectual property risks and licensing compliance. Today, their most vital role is in cybersecurity, as cyber attacks increasingly exploit vulnerabilities in open-source dependencies and third-party components.

 

Regulatory Momentum and Compliance Requirements

Recognition of SBOMs’ importance has reached the highest levels of government and regulatory bodies. The momentum began with the May 2021 Executive Order on Improving the Nation’s Cybersecurity, which specifically addressed the need to shore up software supply chain security. The order acknowledged that “too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit.”

In the medical device sector, regulatory requirements are rapidly evolving. The FDA has introduced specific cybersecurity requirements for medical device manufacturers, with updated guidance released in June 2025 that treats device quality and device security as inseparable concepts. The guidance expands the definition of “cyber devices” to include more networked medical equipment and requires comprehensive documentation of third-party software components through SBOMs.

Go deeper: Watch this special report on SBOMs with Manifest Cyber CEO Marc Frankel and Forescout’s Alison King, VP of Government Affairs.

International regulatory alignment is also emerging. South Korea’s Digital Medical Products Act (DMPA) now imposes similar SBOM obligations, while Europe, the Gulf States, and the UK are developing comparable requirements. This global regulatory convergence sends a clear message that transparency in software supply chains is becoming a universal expectation.

 

Operationalizing SBOMs for Healthcare Security

According to Manifest Cyber’s analysis, security leaders are converging on a robust four-step SBOM workflow that maximizes the security value of these documents:

  • Automated Generation and Analysis: SBOMs should be produced during the CI/CD pipeline for every software build and generated for open-source software before integration. This ensures that vulnerability tracking begins from the earliest stages of development.
  • Centralized Storage: SBOMs require long-term storage in dedicated repositories that enable continuous access and analysis throughout the device lifecycle.
  • Enrichment and Risk Evaluation: SBOM components must be continuously matched against vulnerability databases like the National Vulnerability Database (NVD) and OSS Index to identify emerging threats.
  • Risk Prioritization: Organizations should cross-reference vulnerability data with exploitability intelligence, such as the Exploit Prediction Scoring System (EPSS) or CISA’s Known Exploited Vulnerabilities Catalog, to focus remediation efforts on vulnerabilities that pose actual risk to the business.

This continuous monitoring approach represents a paradigm shift from point-in-time security assessments to persistent risk management.

 

Third-Party Risk Management and Legacy Devices

One of the most significant advantages of SBOMs lies in third-party risk management. Most hospitals and healthcare delivery organizations rely heavily on third-party software, yet many still evaluate vendor security through static questionnaires reviewed only during procurement. This approach leaves organizations blind to vulnerabilities that emerge after deployment.

SBOMs enable persistent monitoring of third-party components. With regular ingestion of vendor-provided SBOMs, security teams can detect when a vendor’s software becomes vulnerable on a daily basis, rather than discovering issues only during annual reviews.

Manifest Cyber provides a compelling example: a US-based hospital that refreshed their MRI fleet in June 2024 required SBOMs during the procurement process. Using SBOM analysis tools, the hospital was immediately notified when CVE-2025-35975 was disclosed, enabling rapid response to protect patient data and device integrity.

 

From Visibility to Action

The ultimate value of SBOMs lies not in their creation, but in the actions they enable. Modern SBOM platforms are integrating software component data with device intelligence and network context, enabling healthcare organizations to:

  • Meet evolving FDA requirements for cybersecurity documentation
  • Automatically isolate vulnerable devices when threats are detected
  • Generate service desk tickets for systematic vulnerability remediation
  • Launch automated workflows for patch management and risk mitigation

This integration transforms SBOMs from static documentation into dynamic risk management tools that enhance compliance and the security posture.

 

Looking Ahead: The Universal Bill of Materials

The future of software supply chain transparency extends beyond traditional software components. Manifest Cyber envisions the development of universal bills of materials that include:

  • Software dependencies and third-party components
  • Cryptographic libraries and security implementations
  • AI/ML model components and training data
  • Hardware integrations and firmware dependencies

This holistic approach ensures that organizations can manage complex, multi-dimensional risks across the full stack of modern medical devices, addressing not just software vulnerabilities but also emerging concerns around AI model security and hardware-software integration points.

 

SBOMs Are a Strategic Imperative

SBOM integration healthcare cybersecurity represents more than regulatory compliance—it constitutes a fundamental shift toward proactive risk management in an increasingly complex threat landscape.

Medical device manufacturers can no longer think of themselves solely as hardware companies. They are software companies operating in a life-critical environment where security failures can directly impact patient safety. The adoption of SBOMs, coupled with robust vulnerability management processes and regulatory compliance frameworks, provides the foundation for addressing these challenges.

The time for implementing comprehensive SBOM strategies is now. As regulatory requirements continue to evolve and cybersecurity threats grow more sophisticated, organizations that establish strong software supply chain visibility today will be best positioned to protect both their patients and their operations tomorrow. The future of medical device security is transparent—and SBOMs are the key to achieving that transparency.

Learn the real threats and real solutions with the right combination of threat intelligence and the use of SBOMs. Watch our webinar, on-demand, whenever you want.