{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,10]],"date-time":"2026-03-10T15:20:23Z","timestamp":1773156023501,"version":"3.50.1"},"reference-count":64,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2021,2,23]],"date-time":"2021-02-23T00:00:00Z","timestamp":1614038400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2021,2,23]],"date-time":"2021-02-23T00:00:00Z","timestamp":1614038400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["npj Digit. Med."],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>An exploited vulnerability in a single software component of healthcare technology can affect patient care. The risk of including third-party software components in healthcare technologies can be managed, in part, by leveraging a software bill of materials (SBOM). Analogous to an ingredients list on food packaging, an SBOM is a list of all included software components. SBOMs provide a transparency mechanism for securing software product supply chains by enabling faster identification and remediation of vulnerabilities, towards the goal of reducing the feasibility of attacks. SBOMs have the potential to benefit all supply chain stakeholders of medical technologies without significantly increasing software production costs. Increasing transparency unlocks and enables trustworthy, resilient, and safer healthcare technologies for all.<\/jats:p>","DOI":"10.1038\/s41746-021-00403-w","type":"journal-article","created":{"date-parts":[[2021,2,23]],"date-time":"2021-02-23T11:05:33Z","timestamp":1614078333000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":38,"title":["Building resilient medical technology supply chains with a software bill of materials"],"prefix":"10.1038","volume":"4","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4559-3359","authenticated-orcid":false,"given":"Seth","family":"Carmody","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5379-3540","authenticated-orcid":false,"given":"Andrea","family":"Coravos","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5979-9724","authenticated-orcid":false,"given":"Ginny","family":"Fahs","sequence":"additional","affiliation":[]},{"given":"Audra","family":"Hatch","sequence":"additional","affiliation":[]},{"given":"Janine","family":"Medina","sequence":"additional","affiliation":[]},{"given":"Beau","family":"Woods","sequence":"additional","affiliation":[]},{"given":"Joshua","family":"Corman","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,2,23]]},"reference":[{"key":"403_CR1","unstructured":"Cyber Security & Infrastructure Security Agency. Critical infrastructure sectors. https:\/\/www.dhs.gov\/cisa\/critical-infrastructure-sectors (2015)."},{"key":"403_CR2","unstructured":"U.S. Department of Health and Human Services. HITECH Act Enforcement Interim Final Rule. https:\/\/www.hhs.gov\/hipaa\/for-professionals\/special-topics\/hitech-act-enforcement-interim-final-rule\/index.html (2009)."},{"key":"403_CR3","doi-asserted-by":"publisher","first-page":"e69","DOI":"10.1016\/j.hrthm.2015.05.008","volume":"12","author":"D Slotwiner","year":"2015","unstructured":"Slotwiner, D. et al. HRS Expert Consensus Statement on remote interrogation and monitoring for cardiovascular implantable electronic devices. Heart Rhythm 12, e69\u2013e100 (2015).","journal-title":"Heart Rhythm"},{"key":"403_CR4","unstructured":"National Telecommunications and Information Administration (NTIA) use cases and state of practice working group. Roles and Benefits for SBOM Across the Supply Chain. https:\/\/www.ntia.gov\/files\/ntia\/publications\/ntia_sbom_use_cases_roles_benefits-nov2019.pdf (2019)."},{"key":"403_CR5","unstructured":"National Audit Office. Investigation: WannaCry Cyber Attack and the NHS. https:\/\/www.nao.org.uk\/wp-content\/uploads\/2017\/10\/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf (2017)."},{"key":"403_CR6","unstructured":"Woods, B. & Bochman, A. Supply Chain in the Software Era. https:\/\/www.atlanticcouncil.org\/in-depth-research-reports\/issue-brief\/supply-chain-in-the-software-era\/ (2018)."},{"key":"403_CR7","unstructured":"Merck & Co, Inc. Merck announces second-quarter 2017 financial results. https:\/\/www.merck.com\/news\/merck-announces-second-quarter-2017-financial-results\/ (2017)."},{"key":"403_CR8","unstructured":"Greenber, A. The untold story of NotPetya, the most devastating cyberattack in history. Wired. https:\/\/www.wired.com\/story\/notpetya-cyberattack-ukraine-russia-code-crashed-the-world\/ (2018)."},{"key":"403_CR9","unstructured":"A. P. M\u00f8ller\u2013M\u00e6rsk A\/S. 2017 Annual Report. http:\/\/investor.maersk.com\/static-files\/250c3398-7850-4c00-8afe-4dbd874e2a85 (2018)."},{"key":"403_CR10","unstructured":"Arhippainen, L., for the VTT Technical Research Centre of Finland. Use and Integration of Third-Party Components in Software Development. VTT Publications 489. http:\/\/www.vtt.fi\/inf\/pdf\/publications\/2003\/P489.pdf (2003)."},{"key":"403_CR11","doi-asserted-by":"crossref","unstructured":"Synopsis. 2018 Open Source Security and Risk Analysis (OSSRA) Report. https:\/\/www.blackducksoftware.com\/open-source-security-risk-analysis-2018 (2018).","DOI":"10.1016\/S1353-4858(18)30051-5"},{"key":"403_CR12","unstructured":"Software Assurance Forum for Excellence in Code (SAFECode). Managing Security Risks Inherent in the Use of Third-Party Components. https:\/\/safecode.org\/wp-content\/uploads\/2017\/05\/SAFECode_TPC_Whitepaper.pdf (2017)."},{"key":"403_CR13","unstructured":"Reuters. Cyber attack hits 200,000 in at least 150 countries: Europol. https:\/\/www.reuters.com\/article\/us-cyber-attack-europol\/cyber-attack-hits-200000-in-at-least-150-countries-europol-idUSKCN18A0FX (2017)."},{"key":"403_CR14","unstructured":"Microsoft. Microsoft Security Bulletin MS17-010\u2013Critical. https:\/\/docs.microsoft.com\/en-us\/security-updates\/securitybulletins\/2017\/ms17-010 (2017)."},{"key":"403_CR15","unstructured":"Abdollah, T. Hackers broke into hospitals despite software flaw warnings. https:\/\/apnews.com\/86401c5c2f7e43b79d7decb04a0022b4 (2016)."},{"key":"403_CR16","unstructured":"Cyber Security & Infrastructure Security Agency. ICS Advisory (ICSMA-18-088-01): Philips iSite\/IntelliSpace PACS Vulnerabilities (Update A). https:\/\/www.us-cert.gov\/ics\/advisories\/ICSMA-18-088-01 (2018)."},{"key":"403_CR17","unstructured":"Cyber Security & Infrastructure Security Agency. ICS Advisory (ICSMA-16-089-01): CareFusion Pyxis SupplyStation System Vulnerabilities. https:\/\/www.us-cert.gov\/ics\/advisories\/ICSMA-16-089-01 (2017)."},{"key":"403_CR18","unstructured":"Rios, B. & Butts, J. Security Evaluation of the Implantable Cardiac Device Ecosystem Architecture and Implementation Interdependencies. https:\/\/a51.nl\/sites\/default\/files\/pdf\/Pacemaker Ecosystem Evaluation.pdf (2017)."},{"key":"403_CR19","first-page":"489","volume":"5","author":"PM Leitner","year":"1999","unstructured":"Leitner, P. M. Japan\u2019s post-war economic success: deming, quality, and contextual realities. J. Manag. Hist. 5, 489\u2013505 (1999).","journal-title":"J. Manag. Hist."},{"key":"403_CR20","first-page":"140","volume":"74","author":"JP Womack","year":"1996","unstructured":"Womack, J. P. & Jones, D. T. How to root out waste and pursue perfection. Harv. Bus. Rev. 74, 140\u2013172 (1996).","journal-title":"Harv. Bus. Rev."},{"key":"403_CR21","doi-asserted-by":"publisher","first-page":"412","DOI":"10.2345\/0899-8205-53.6.412","volume":"53","author":"G Stern","year":"2019","unstructured":"Stern, G. Preparing for the next cyber storm: are you ready? Biomed. Instrum. Technol. 53, 412\u2013419 (2019).","journal-title":"Biomed. Instrum. Technol."},{"key":"403_CR22","unstructured":"Leblang, D. B. & Levine, P. H. Software Configuration Management (eds Estublier, J.) (Springer-Verlag, 1993)."},{"key":"403_CR23","unstructured":"Schmidt, R. & Duffy, T. Non-interfering software distribution. In Proceedings of the DASIA 97 Meeting on Data Systems in Aerospace, Seville, Spain, 26-29 May, 1997. (ed. Guyenne, T.-D.) ESA SP-409, 351\u2013358 (European Space Agency, Paris, 1997)."},{"key":"403_CR24","doi-asserted-by":"crossref","unstructured":"Fangman, P. M., Gerhardstein, L. H. & Homer, B. J. Federal Emergency Management Information System (FEMIS): Bill of Materials (BOM) for FEMIS, version 1.4.5. No. PNL-10689-Ver. 1.4.5. (Pacific Northwest National Laboratory, Richland, WA, 1998).","DOI":"10.2172\/663230"},{"key":"403_CR25","first-page":"101","volume":"19","author":"P Nordquist","year":"2003","unstructured":"Nordquist, P., Petersen, A. & Todorova, A. License tracing in free, open, and proprietary software. J. Comput. Sci. Coll. 19, 101\u2013112 (2003).","journal-title":"J. Comput. Sci. Coll."},{"key":"403_CR26","doi-asserted-by":"crossref","unstructured":"Martin, R. A. Visibility & control: addressing supply chain challenges to trustworthy software-enabled things. 2020 IEEE Systems Security Symposium (SSS), Crystal City, VA, USA, 1\u20134. https:\/\/ieeexplore.ieee.org\/document\/9174365 (2020).","DOI":"10.1109\/SSS47320.2020.9174365"},{"key":"403_CR27","doi-asserted-by":"crossref","unstructured":"Martin, R. A. Assurance for cyberphysical systems: addressing supply chain challenges to trustworthy software-enabled things. 2020 IEEE Systems Security Symposium (SSS), Crystal City, VA, USA, 1\u20135 https:\/\/ieeexplore.ieee.org\/document\/9174201 (2020).","DOI":"10.1109\/SSS47320.2020.9174201"},{"key":"403_CR28","doi-asserted-by":"publisher","unstructured":"Sparrell, D. Cyber-safety in healthcare IOT. 2019 ITU Kaleidoscope: ICT for Health: Networks, Standards and Innovation (ITU K), Atlanta, GA, USA, https:\/\/doi.org\/10.23919\/ITUK48006.2019.8996148 (2019).","DOI":"10.23919\/ITUK48006.2019.8996148"},{"key":"403_CR29","first-page":"66","volume":"39","author":"D Geer","year":"2014","unstructured":"Geer, D. & Corman, J. Almost too big to fail. Login 39, 66\u201368 (2014).","journal-title":"Login"},{"key":"403_CR30","unstructured":"Financial Services Information Sharing and Analysis Center (FS-ISAC) Third-Party Software Security Working Group. Appropriate Software Security Control Types for Third Party Service and Product Providers. https:\/\/drive.google.com\/file\/d\/1vm3JwEtAJqjpRPXoSgY99ijWIBcSSaSz\/view (undated)."},{"key":"403_CR31","unstructured":"FS-ISAC Third Party Software Security Working Group. Appropriate Software Security Control Types for Third-Party Service and Product Providers. Version 2.3. https:\/\/www.fsisac.com\/hubfs\/Resources\/FSISAC-ThirdPartySecurityControlTypes-Whitepaper_2015.pdf (2015)."},{"key":"403_CR32","unstructured":"NTIA. Transcript, Multistakeholder Meeting on Software Component Transparency, Part 1. https:\/\/www.ntia.doc.gov\/files\/ntia\/publications\/july_19_ntia_-_part_1_transcript.pdf (2018)."},{"key":"403_CR33","unstructured":"NTIA. Multistakeholder Meeting on Software Component Transparency, Webcast Archive. Part 1. https:\/\/www.ntia.doc.gov\/other-publication\/2018\/webcast-archive-071918-meeting-promoting-software-component-transparency (2018)."},{"key":"403_CR34","unstructured":"Energy Sector Control Systems Working Group (ESCSWG). Cybersecurity Procurement Language for Energy Delivery Systems. https:\/\/www.energy.gov\/sites\/prod\/files\/2014\/04\/f15\/CybersecProcurementLanguage-EnergyDeliverySystems_040714_fin.pdf (2014)."},{"key":"403_CR35","unstructured":"Mayo Clinic. Medical and research device risk assessment vendor packet instructions. https:\/\/www.mayoclinic.org\/documents\/medical-device-vendor-instructions\/doc-20389647 (2020)."},{"key":"403_CR36","unstructured":"Open Web Application Security Project (OWASP). Security by design principles. https:\/\/www.owasp.org\/index.php\/Security_by_Design_Principles (2016)."},{"key":"403_CR37","unstructured":"CycloneDX.org. CycloneDX implementations. https:\/\/cyclonedx.org\/#implementations (2020)."},{"key":"403_CR38","unstructured":"GitHub.com. Exploring the dependencies of a repository. https:\/\/help.github.com\/en\/github\/visualizing-repository-data-with-graphs\/listing-the-packages-that-a-repository-depends-on (2019)."},{"key":"403_CR39","unstructured":"GitHub.com. About security alerts for vulnerable dependencies. https:\/\/help.github.com\/en\/github\/managing-security-vulnerabilities\/about-security-alerts-for-vulnerable-dependencies (2019)."},{"key":"403_CR40","unstructured":"GitHub.com. Configuring Dependabot security updates. https:\/\/help.github.com\/en\/github\/managing-security-vulnerabilities\/configuring-automated-security-updates (2019)."},{"key":"403_CR41","unstructured":"OWASP. OWASP Dependency-Check. https:\/\/owasp.org\/www-project-dependency-check\/ (2019)."},{"key":"403_CR42","unstructured":"Promenade Software. Automated vulnerability alerts for embedded Linux. https:\/\/promenadesoftware.com\/blog\/automated-vulnerability-alerts-embedded-linux (2016)."},{"key":"403_CR43","unstructured":"National Electrical Manufacturers Association (NEMA). American National Standard: Manufacturer Disclosure Statement for Medical Device Security. ANSI\/NEMA HN 1-2019. https:\/\/www.nema.org\/Standards\/view\/Manufacturer-Disclosure-Statement-for-Medical-Device-Security (2019)."},{"key":"403_CR44","unstructured":"NTIA. NTIA software component transparency. https:\/\/www.ntia.doc.gov\/SoftwareTransparency (2020)."},{"key":"403_CR45","doi-asserted-by":"publisher","unstructured":"Stockhausen, H. B. & Rose, M. W. Continuous security patch delivery and risk management for medical devices. 2020 IEEE International Conference on Software Architecture Companion (ICSA-C), Salvador, Brazil. https:\/\/doi.org\/10.1109\/ICSA-C50368.2020.00043 (2020).","DOI":"10.1109\/ICSA-C50368.2020.00043"},{"key":"403_CR46","unstructured":"Koninklijke Philips N. V. Position Paper: Committed to Proactively Addressing Our Customers\u2019 Security and Privacy Concerns. https:\/\/images.philips.com\/is\/content\/PhilipsConsumer\/Campaigns\/HC20140401_DG\/Documents\/Philips_Cybersecurity_Position_Paper_20180306.pdf (2018)."},{"key":"403_CR47","unstructured":"Siemens Medical Solutions USA, Inc. Cybersecurity: Protecting healthcare institutions against cyberthreats. https:\/\/www.siemens-healthineers.com\/en-us\/support-documentation\/cybersecurity (2020)."},{"key":"403_CR48","unstructured":"Health Care Industry Cybersecurity Task Force. Report on Improving Cybersecurity in the Health Care Industry. https:\/\/www.phe.gov\/preparedness\/planning\/cybertf\/documents\/report2017.pdf (2017)."},{"key":"403_CR49","unstructured":"Walden, G. & Pallone, F. Jr. Letter from the House Committee on Energy and Commerce to Acting Secretary, US Department of Health and Human Services. https:\/\/republicans-energycommerce.house.gov\/wp-content\/uploads\/2017\/11\/20171116HHS.pdf (2017)."},{"key":"403_CR50","unstructured":"Madara, J. L. Letter from the American Medical Association to the House Committee on Energy and Commerce on cybersecurity and the use of legacy technologies in health care. https:\/\/searchlf.ama-assn.org\/undefined\/documentDownload?uri=\/unstructured\/binary\/letter\/LETTERS\/2018-5-24-Letter-to-Walden-Pallone-re-Draft-Cybersecurity-Response-to-EC-RFI.pdf (2018)."},{"key":"403_CR51","unstructured":"US Food and Drug Administration (FDA). Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health. https:\/\/www.fda.gov\/media\/112497\/download (2019)."},{"key":"403_CR52","unstructured":"FDA. Content of Premarket Submissions for Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff. https:\/\/www.fda.gov\/media\/86174\/download (2014)."},{"key":"403_CR53","unstructured":"FDA. Content of Premarket Submissions for Management of Cybersecurity in Medical Devices: Draft Guidance for Industry and Food and Drug Administration Staff. https:\/\/www.fda.gov\/media\/119933\/download (2018)."},{"key":"403_CR54","unstructured":"US Code of Federal Regulations, Title 21, CFR 820.50. Purchasing controls. https:\/\/www.accessdata.fda.gov\/scripts\/cdrh\/cfdocs\/cfCFR\/CFRSearch.cfm?fr=820.50 (2019)."},{"key":"403_CR55","unstructured":"FDA. Cybersecurity for Networked Medical Devices Containing Off the-Shelf (OTS) Software. https:\/\/www.fda.gov\/media\/72154\/download (2005)."},{"key":"403_CR56","unstructured":"FDA. Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff. https:\/\/www.fda.gov\/media\/95862\/download (2016)."},{"key":"403_CR57","unstructured":"FDA. FDA Fact Sheet: The FDA\u2019s Role in Medical Device Cybersecurity. https:\/\/www.fda.gov\/media\/123052\/download (2017)."},{"key":"403_CR58","unstructured":"FDA. Deciding When to Submit a 510 (k) for a Software Change to an Existing Device: Guidance for Industry and Food and Drug Administration Staff. https:\/\/www.fda.gov\/media\/99785\/download (2017)."},{"key":"403_CR59","unstructured":"FDA. Distinguishing Medical Device Recalls from Medical Device Enhancements: Guidance for Industry and Food and Drug Administration Staff. https:\/\/www.fda.gov\/media\/89909\/download (2014)."},{"key":"403_CR60","unstructured":"NTIA. Software Component Transparency: Healthcare Proof of Concept Report. https:\/\/www.ntia.gov\/files\/ntia\/publications\/ntia_sbom_healthcare_poc_report_2019_1001.pdf (2019)."},{"key":"403_CR61","doi-asserted-by":"publisher","unstructured":"Ross, R., McEvilley, M., & Oren, J. C. Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, vol. 1. NIST Special Publication 800-160, https:\/\/doi.org\/10.6028\/NIST.SP.800-160v1 (2018).","DOI":"10.6028\/NIST.SP.800-160v1"},{"key":"403_CR62","unstructured":"International Medical Device Regulators Forum, Medical Device Cybersecurity Working Group. Principles and Practices for Medical Device Cybersecurity. http:\/\/imdrf.org\/docs\/imdrf\/final\/technical\/imdrf-tech-200318-pp-mdc-n60.pdf (2020)."},{"key":"403_CR63","unstructured":"Health Canada. Guidance Document: Pre\u2010market Requirements for Medical Device Cybersecurity. https:\/\/www.canada.ca\/content\/dam\/hc-sc\/documents\/services\/drugs-health-products\/medical-devices\/application-information\/guidance-documents\/cybersecurity-guidance.pdf (2019)."},{"key":"403_CR64","unstructured":"Medical Device Coordination Group. MDCG 2019-16 Guidance on Cyber Security for Medical Devices. https:\/\/ec.europa.eu\/health\/sites\/health\/files\/md_sector\/docs\/md_cybersecurity_en.pdf (2019)."}],"container-title":["npj Digital Medicine"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.nature.com\/articles\/s41746-021-00403-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.nature.com\/articles\/s41746-021-00403-w","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.nature.com\/articles\/s41746-021-00403-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,3]],"date-time":"2022-12-03T18:45:13Z","timestamp":1670093113000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.nature.com\/articles\/s41746-021-00403-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,2,23]]},"references-count":64,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2021,12]]}},"alternative-id":["403"],"URL":"https:\/\/doi.org\/10.1038\/s41746-021-00403-w","relation":{},"ISSN":["2398-6352"],"issn-type":[{"value":"2398-6352","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,2,23]]},"assertion":[{"value":"22 December 2019","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"26 January 2021","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"23 February 2021","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"Seth Carmody is the Vice President of Regulatory Strategy at MedCrypt, Founder and CEO of DRX Labs, and former Cybersecurity Program Manager at the US Food and Drug Administration. Andrea Coravos is the CEO of Elektra Labs, Inc. Audra Hatch is the Product Security Specialist at Thermo Fisher Scientific. Josh Corman is the Chief Security Officer and Senior Vice President at PTC, Inc. Ginny Fahs, Audra Hatch, Janine Medina, Beau Woods, and Josh Corman are all unpaid members of I Am The Cavalry.","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"34"}}