The number of vulnerabilities lurking within medical products and devices jumped 59% year-over-year, according to recent research published by Finite State, Health-ISAC, and Securin, Inc. Of the vulnerabilities identified in this 2023 study, more than 16% had been weaponized and over 10% were trending in the wild.  

Amid these rising threats, healthcare organizations have heard the call to prioritize cybersecurity measures and invest in ever-more-robust cybersecurity practices. But, regulators have been watching too. 

FDA's Final Guidance

On September 26, 2023, the FDA published its Final Guidance on Cybersecurity in Medical Devices. To those familiar with the draft version of this guidance issued nearly a year-and-a-half earlier, the two documents resemble each other in terms of content and structure. 

Where do they differ? The FDA's Final Guidance provides more detail in its recommendations for the execution of cybersecurity risk assessments, considerations related to interoperability, and the documentation that the FDA wants to see in premarket submissions of connected medical devices.

The Final Guidance also authorizes the FDA to demand cybersecurity information with the medical device submissions that the agency receives, and to mandate manufacturers to provide reasonable assurance that the devices they intend to bring to market are "cybersecure."

Also new in the Final Guidance is Appendix 4, titled, "General Premarket Submission Documentation Elements and Scaling with Risk." Simply put, Appendix 4 is the FDA's checklist of documents that the agency will look for when it receives premarket submissions.

The SBOM appears within the first items included within the checklist. 

What Does the FDA Final Guidance Say about SBOM? 

Section V.A.4. of the Final Guidance specifically calls out the SBOM as a "tool to help manage supply chain risk as well as clearly identify and track the software incorporated into a device." 

The FDA Perspective: Software Bill of Materials (SBOM)

"An SBOM can aid in the management of cybersecurity risks that exist throughout the software stack," the FDA writes in Section V of its Final Guidance, adding that an SBOM "helps facilitate risk management processes by providing a mechanism to identify devices and the systems in which they operate that might be affected by vulnerabilities in the software components, both during development when software is being chosen as a component and after it has been placed into the market throughout all other phases of a product’s life."

The FDA then continues on to point out the value of SBOMs as an integral part of a device's security risk management program and that they be kept updated as the software itself is updated. 

The FDA concludes by requiring an SBOM for submissions of cyber devices to assist the agency's assessment of device risks and their associated impacts on safety and effectiveness. 

Section V.A.4: SBOMs - Managing Cybersecurity Risks and Ensuring Regulatory Compliance

Section V.A.4 addresses how SBOMs help manage the cybersecurity risks lurking within software stacks, pointing out that SBOMs comprehensively list all components in a device, including those developed by the manufacturer and third-party elements like purchased, licensed, and open-source software, along with their upstream dependencies.

As a tool, the SBOM is not only vital during the development phase for selecting software components but also throughout the product's lifecycle, aiding in identifying devices and systems potentially impacted by software vulnerabilities.

The role of an SBOM extends to vulnerability management, which is crucial for a device's security risk management. It should be an integral part of the device’s configuration management, updated regularly to reflect software changes in marketed devices. 

For regulatory assessment, especially regarding device risks and their impact on safety and effectiveness, the FDA advises including SBOM documentation in premarket submissions. For cyber devices, producing an SBOM is a requirement under section 524B(b)(3) of the FD&C Act.

SBOMs serve as valuable tools for transparency, informing users about potential risks, as discussed in Section VI of the FDA’s guidance.

Section VI: SBOMs and Transparency

In Section VI, Cybersecurity Transparency, the FDA builds the case for the critical role of transparency in the safe and effective use and integration of devices and systems and points to labeling devices with cybersecurity risks to improve software supply chain security and visibility. 

The FDA mandates that medical device labeling, including cybersecurity information, must comply with sections 502(f) and 502(a)(1) of the FD&C Act, ensuring directions for use are adequate and not misleading. Manufacturers should incorporate security information in their labeling as part of design and development, both to mitigate cybersecurity risks and ensure device safety and effectiveness, considering usability testing for risk management.

Included within a list of examples of information that may be included in labeling to communicate relevant security information to users, the FDA points out that manufacturers should use an SBOM, as outlined in Section V.A.4. or following an industry-accepted format, to:

    • manage their assets
    • assess the impact of vulnerabilities on medical devices, and
    • maintain device safety and effectiveness.
Medical device manufacturers should continuously provide SBOM information, ensuring its accessibility and accuracy, preferably in a machine-readable format, Section VI.A concludes. 


Next Steps: SBOMs to Satisfy FDA Final Guidance

The FDA's Final Guidance calls for SBOMs to be submitted as part of a medical device's General Premarket Submission Documentation, as noted in Appendix 4. 

SBOMs not only provide continuous visibility into the vulnerabilities and threats lurking within the software supply chain ecosystems of your connected medical devices, they also help you achieve compliance with increasingly stringent regulatory requirements around their submission and approval. 

Finite State's Next Generation Platform offers a comprehensive solution for managing risk across the software supply chain through advanced SBOM management. The Next Gen Platform aggregates and integrate data from over 150 external sources, providing security teams with a unified and prioritized risk view. It is adept at generating, collecting, visualizing, and distributing SBOMs, ensuring a seamless flow of information throughout the supply chain.

The platform's capability to ingest scans from more than 150 scanners and feeds unifies various defense tools, offering a complete picture of the environment. Additionally, it provides detailed remediation guidance by aggregating and reconciling scan results, offering tailored, context-aware recommendations.

The platform's advanced binary Software Composition Analysis (SCA) and enhanced SBOM capabilities allow for a detailed decomposition of products or assets, leading to precise risk assessments. It also features a robust scoring methodology for risk levels, supported by sophisticated risk prioritization, and is capable of importing and exporting all Vulnerability Exploitability Exchange (VEX) formats, complemented by advanced vulnerability intelligence correlation, making it a robust tool for comprehensive software supply chain risk management.

Want to see Finite State in action? 

Request a free trial of Finite State's Next Generation Platform today:

FS Free Trial Featured Image