Securing the Future of Medical Devices
In the rapidly evolving healthcare technology landscape, one truth is becoming increasingly undeniable: software supply chain security is now mission-critical, particularly for medical device manufacturers (MDMs). As software permeates everything from MRI machines to telehealth platforms, the need for comprehensive visibility into the software components powering these devices has never been more vital. This is where Software Bills of Materials (SBOMs) become indispensable.
The momentum behind SBOMs isn’t limited to a single country or sector. Governments and regulators around the world are mandating SBOM adoption. The U.S. FDA has introduced requirements specifically for medical device manufacturers, and South Korea’s Digital Medical Products Act (DMPA) now imposes similar obligations. Europe, the Gulf States, and the UK are discussing how to follow closely behind. The message is clear: global regulators are aligning on the need for transparency into the software embedded in healthcare technology.
Think of an SBOM like a nutrition label for software. Just as the FDA wouldn’t let Kellogg’s sell cereal without listing its ingredients, medical devices should not be deployed without disclosing their software components. An SBOM catalogs all third-party, open-source, and proprietary code used in an application, complete with licensing data, versioning, authorship, and unique identifiers.
Historically, SBOMs were used to manage intellectual property risk. Today, their most vital role is in security. As cyberattacks increasingly exploit vulnerabilities in open-source dependencies, having a detailed inventory is essential for assessing and mitigating risk.
Catch Forescout’s on-demand webinar on this very topic: Patch It Up: Prescribing SBOMs for Healthcare’s Cyber Health. Learn more about Forescout.
The Four-Step Process to Secure the Software Supply Chain
Security leaders are converging on a robust SBOM workflow:
- Automated Generation and Analysis: SBOMs should be produced during the CI/CD pipeline for every software build and generated for open-source software before it’s used.
- Centralized Storage: Store them in a repository like Manifest for long-term access and analysis.
- Enrichment and Risk Evaluation: Match SBOM components against vulnerability databases like NVD and OSS Index.
- Risk Prioritization: Cross-reference with exploitability intelligence, such as EPSS or CISA’s Known Exploited Vulnerabilities Catalog, to focus only on those that pose risk and impact to the business
This continuous visibility into the underlying software components and risks allows teams to prioritize remediation efforts and respond quickly.
SBOMs for Third-Party Risk Management
Most hospitals and healthcare delivery organizations rely heavily on third-party software. Unfortunately, many still evaluate vendor security with 200-page questionnaires reviewed only during procurement. This point-in-time evaluation leaves organizations blind to vulnerabilities that emerge post-deployment.
SBOMs solve this by enabling persistent monitoring. With regular ingestion of vendor-provided SBOMs, security teams can detect when a vendor’s software becomes vulnerable—every single day—not just once a year.
For example, a US-based hospital refreshed their MRI fleet in June 2024. This allowed them to require and collect SBOMs during the renewal procurement process. The hospital used Manifest to collect and continuously analyze the SBOMs for vulnerabilities, so they were immediately notified when CVE-2025-35975 was disclosed.
Legacy Devices: A Common and Complex Challenge
What about devices already in use that were never required to provide SBOMs?
- Tying renewals to SBOM delivery is one effective strategy: some institutions demand SBOMs in exchange for renewing service contracts.
- Binary analysis tools can extract software component data from compiled applications. While not as accurate as vendor-provided SBOMs, this provides a stop-gap method to improve visibility.
These are imperfect but necessary responses to a widespread problem. As one healthcare security expert put it, “The best time to plant your SBOM tree was 10 years ago. The second-best time is today.”
From Visibility to Action
An SBOM is only useful if you act on it. Platforms like Manifest and Forescout are integrating SBOM data with device intelligence and network context, enabling healthcare organizations to:
- Meet FDA requirements
- Isolate vulnerable devices
- Generate service desk tickets
- Launch automated remediation workflows
By aligning device-level data with SBOM insights, security teams can mitigate risk at scale.
Looking Ahead: The Universal BOM
The next frontier? A universal bill of materials. A single document that includes:
- Software dependencies
- Cryptographic libraries
- AI/ML model components
- Hardware integrations
This holistic view ensures that organizations can manage complex, multi-dimensional risk across the full stack of modern medical devices.
Conclusion:
Medical device manufacturers are no longer just hardware companies. They’re software companies, too. And with that shift comes a new responsibility: securing the software supply chain. SBOMs are not just a regulatory box to check, they’re a strategic capability that empowers manufacturers and healthcare providers to understand, manage, and act on software risk. The time to build this capability is now.
Manifest is helping healthcare organizations detect and manage hidden software supply chain risks at scale. See the platform in action: get a demo.
