Safeguard
Software Supply Chain Security

Software supply chain security for medical devices

How FDA premarket cybersecurity rules, medical device SBOMs, and firmware vulnerabilities like Ripple20 and SweynTooth are reshaping supply chain security for connected medical devices.

Marina Petrov
Compliance Analyst
7 min read

Software supply chain security for medical devices has moved from a niche compliance topic to a boardroom issue in the space of about five years. A single infusion pump, insulin pump, or imaging system today typically runs on a stack of third-party libraries, open-source components, and embedded firmware sourced from a dozen or more suppliers — any one of which can introduce a vulnerability that reaches a patient. The 2017 recall of 465,000 St. Jude Medical pacemakers over remote-exploit risk, the 2019 "Urgent/11" flaws in the IPnet stack embedded in hundreds of millions of connected devices, and the 2020 Ripple20 vulnerabilities in the Treck TCP/IP library all trace back to the same root cause: nobody downstream knew what was actually inside the device. That is exactly the gap software supply chain security for medical devices is meant to close, and it is now a legal requirement, not a best practice, for any manufacturer selling into the U.S. market.

Why does software supply chain security for medical devices matter now?

It matters now because the FDA can legally refuse to even review a medical device submission that lacks adequate cybersecurity documentation. Since March 29, 2023, Section 524B of the Food, Drug, and Cosmetic Act — added by the Consolidated Appropriations Act, 2023 — gives the FDA "refuse to accept" authority over premarket submissions for cyber devices, and the agency began enforcing it fully on October 1, 2023, after a transition grace period. That single statutory change turned software supply chain security from an engineering nicety into a gating factor for market access. Add to that the fact that a modern connected device commonly contains 70-90% third-party and open-source code by volume, according to component-composition studies across the medical device industry, and it's clear why manufacturers can no longer treat their suppliers' code as a black box.

What did the FDA's premarket cybersecurity requirements actually change in 2023?

They changed what "complete" means for a 510(k), De Novo, or PMA submission. Under the FDA's final guidance, "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions" (updated June 2023), manufacturers of any "cyber device" — defined as a device with software, the ability to connect to the internet, and technical characteristics that make it vulnerable to cybersecurity threats — must submit a plan for identifying and remediating vulnerabilities, a process to provide reasonable assurance the device is cybersecure, and a software bill of materials for commercial, open-source, and off-the-shelf components. In practice this means FDA premarket cybersecurity review now checks for evidence of a secure development lifecycle, threat modeling artifacts, penetration testing results, and a machine-readable component inventory before a device can be cleared. Submissions that arrive without these artifacts are increasingly bounced back with Additional Information (AI) requests, adding months to clearance timelines — a cost manufacturers are trying hard to avoid by building the artifacts in from day one rather than reconstructing them retroactively.

What exactly is a medical device SBOM, and why do regulators want one?

A medical device SBOM is a structured, machine-readable inventory of every software component — commercial, open-source, and third-party — that ships inside a device, typically formatted in SPDX or CycloneDX and built on the NTIA's 2021 "minimum elements" framework (supplier name, component name, version, dependency relationships, and a unique identifier at minimum). Regulators want it because an SBOM is what turns "we think we might be affected" into "we know we are affected" within hours of a new CVE disclosure. When Log4Shell (CVE-2021-44228) broke in December 2021, hospitals and manufacturers without SBOMs spent weeks manually auditing codebases to find out whether Log4j was buried somewhere in imaging software, infusion pump middleware, or hospital information systems — while organizations with accurate SBOMs queried their inventories and had answers in minutes. The FDA now expects a medical device SBOM to be maintained across the entire product lifecycle, not generated once at submission and forgotten, because firmware and library updates change the composition of a device with every patch.

How vulnerable is connected device firmware to supply chain attacks?

Connected device firmware is a disproportionately attractive target because it runs closer to hardware, is updated far less frequently than application software, and often embeds real-time operating systems or network stacks shared across thousands of unrelated products. Ripple20, disclosed in June 2020, is the clearest illustration: 19 vulnerabilities in a single embedded TCP/IP library (Treck) shipped inside an estimated hundreds of millions of devices across medical, industrial, and consumer sectors, including infusion pumps and patient monitors from multiple manufacturers who had no direct relationship with Treck and, in many cases, didn't know the library was there. SweynTooth, disclosed in early 2020, similarly hit Bluetooth Low Energy chipsets used in pacemakers, glucose monitors, and insulin pumps from several vendors simultaneously — a single flaw in one silicon vendor's SDK became a multi-manufacturer recall problem overnight. Connected device firmware security failures like these don't stay contained to one company's product line; because the same chipsets and libraries get licensed across an entire industry, one unpatched dependency can become a fleet-wide exposure spanning dozens of device families and manufacturers who each thought the risk belonged to someone else.

What happens after a critical vulnerability is found in a fielded medical device?

What happens is a race between disclosure, patching, and patient risk, and the manufacturers with a current medical device SBOM consistently win that race faster than those without one. The FDA's postmarket cybersecurity guidance and the HHS 405(d) program both expect manufacturers to have a documented vulnerability management process that can identify affected device models, assess exploitability and clinical impact, and coordinate disclosure — typically within a 30 to 90 day window depending on severity — with hospitals and, where warranted, CISA's ICS-CERT medical device advisories. Without an accurate component inventory, this process starts with an internal fire drill to figure out which of dozens of device SKUs, going back years, actually contain the vulnerable library or firmware version. With one, it starts with a query. That difference is measured in weeks of exposure for patients and, increasingly, in regulatory and liability consequences for manufacturers who can't demonstrate they knew what was in their own devices.

How Safeguard Helps

Safeguard gives medical device manufacturers a continuously current view of everything that goes into a device, so that software supply chain security for medical devices stops being a submission-day scramble and becomes an operational fact of how the device is built and maintained. Concretely, that means:

  • Automated, lifecycle-spanning medical device SBOM generation in SPDX and CycloneDX formats, built directly from your build pipelines and firmware images so the inventory reflects what actually ships — not a manually maintained spreadsheet that drifts out of date after the first patch.
  • FDA premarket cybersecurity artifact support, mapping your component inventory, known-vulnerability status, and remediation plans to the documentation structure the FDA expects in a 510(k) or PMA cybersecurity section, reducing the back-and-forth that turns into costly Additional Information requests.
  • Connected device firmware security scanning that reaches into embedded RTOS images, network stacks, and third-party SDKs — the layer where Ripple20- and SweynTooth-style flaws hide — rather than stopping at the application layer.
  • Continuous vulnerability correlation, so that when the next Log4Shell-scale disclosure lands, you already know within minutes which device families, firmware versions, and deployed units are affected, instead of spending weeks reconstructing that answer by hand.
  • Audit-ready reporting for FDA submissions, HHS 405(d) alignment, and hospital procurement security questionnaires, generated from the same live component data rather than assembled separately for each audience.

For manufacturers, the goal isn't just clearing the next FDA submission — it's building a supply chain security practice durable enough that the next embedded-library vulnerability is a query, not a crisis.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.