Medical device OEMs are required to submit a Software Bill of Material (SBOM) as of March 2023.
Effective March 29, 2023, the Food and Drug Administration (FDA) implemented new regulations regarding product cybersecurity enforcement. These regulations were set forth in the Omnibus Bill that was passed in December 2022, which mandates that all medical device original equipment manufacturers (OEMs) submit a Software Bill of Material (SBOM) to the FDA and utilize these SBOMs to coordinate their post-market product cybersecurity efforts. These regulations apply to all products, including legacy products, if they have software-defined components.
This legislation replaces previous medical device cybersecurity requirements derived from the Protect Access to Confidential Healthcare (PATCH) Act, enhancing the security and safety of medical devices by addressing software component vulnerabilities within these devices.
By requiring OEMs to submit SBOMs, the FDA can ensure transparency and accountability in terms of the software components used in medical devices, and OEMs will be able to identify any potential threats and take appropriate measures to mitigate them and reduce the risk of cyberattacks on medical devices.
The use of SBOMs also facilitates better coordination among OEMs, as well as a standardized format to document software components and address cybersecurity issues collectively.