Benefiting from Software Transparency: From SBOM to Vulnerability Management

The healthcare industry is undergoing a digital transformation that has revolutionized how care is delivered—but also how it must be secured. This whitepaper explores how Software Bills of Materials (SBOMs) can serve as the foundation for proactive vulnerability management in connected medical devices. By increasing transparency into software components, manufacturers, regulators, and healthcare delivery organizations (HDOs) can better identify, prioritize, and remediate vulnerabilities before they threaten patient safety. The paper also examines technical, cultural, and operational challenges to SBOM adoption and offers practical guidance for realizing their full potential at scale.

‍

Recent vulnerabilities such as Urgent/11, Ripple20, and Amnesia:33 exposed a harsh reality: most healthcare organizations cannot quickly determine which devices are affected by a given flaw. Without standardized SBOMs, vulnerability management remains reactive, costly, and incomplete. Regulatory momentum—from the FDA to the White House Executive Order on cybersecurity—makes SBOMs no longer optional. This paper clarifies why software transparency is essential for regulatory compliance, patient safety, and long-term operational resilience.

• Product and software engineers designing or maintaining connected medical devices
• Regulatory and quality professionals responsible for FDA cybersecurity readiness and 524B compliance
• CISOs, product security leaders, and IT teams overseeing vulnerability management programs
• Executives and program managers seeking to operationalize cybersecurity as a business advantage

‍

• SBOMs are the “nutrition labels” of software — they enable informed security decisions.
• Reliable SBOMs allow faster identification of affected devices during vulnerability disclosures.
• Effective SBOM programs require tooling, automation, and cross-functional ownership.
• Regulatory pressure is accelerating adoption, making transparency a competitive advantage.
• The ultimate goal is proactive, continuous vulnerability management across the entire ecosystem.

1. Introduction: Healthcare’s Cybersecurity Transformation
   
   1. Digital transformation and emerging risks
   2. From reactive security to proactive transparency
2. Healthcare Use Case for the SBOM
   
   1. SBOM as the software “nutrition label”
   2. Regulatory context: FDA, Executive Orders, and procurement expectations
3. Evolution of Thinking: From Transparency to Action
   
   1. Challenges in building effective vulnerability management programs
   2. The need for continuous visibility and automation
4. Case Study: What’s in a Name?
   
   1. The QNX/BlackBerry RTOS example
   2. The problem of inconsistent software naming and versioning
5. Cultural and Organizational Challenges
   
   1. Overcoming IP protection fears and business resistance
   2. Why transparency is good business
6. Vulnerability Management Responsibilities in Healthcare
   
   1. Roles of MDMs, HDOs, and regulators
   2. Premarket vs postmarket objectives
   3. How SBOMs streamline triage and patch deployment
7. SBOM Execution Challenges
   
   1. Managing dependencies, versions, and data volume
   2. Aligning tooling, automation, and process ownership
8. Conclusion: Making Software Transparency Work
   
   1. Practical roadmap for scaling SBOM programs
   2. Shared accountability across the ecosystem