Archimedes UCSF-Stanford CERSI Demystifying Medical Device SBOM

Software Bills of Materials (SBOMs) have emerged as a critical tool for understanding and managing cybersecurity risks in connected medical devices. Despite regulatory emphasis by the FDA and mandatory industry adoption, significant challenges remain in creating, maintaining, and effectively using SBOMs throughout the lifecycle of a medical device. We will explore the SBOM ecosystem in healthcare, from premarket creation to postmarket monitoring, examining the perspectives from both manufacturers and the healthcare delivery organizations.

The panel will discuss key challenges in SBOM such as component/vulnerability matching inconsistencies, the limitations of various SBOM analogies, and the resource constraints facing healthcare providers and device manufacturers attempting to leverage SBOMs at scale. Drawing from real-word examples and industry experience, we will discuss how different stakeholders can develop sustainable and efficient SBOM workflows that enhance patient safety. This session will provide practical insights for manufacturers, healthcare delivery organizations, regulators, and other players seeking not only SBOM compliance, but meaningful security improvements through SBOM implementation.

Kevin Fu
Professor, Archimedes Center for Healthcare and Medical Device Cybersecurity, Northeastern University

Matt Hazelett
Chief Operating Officer and Chief Quality Officer at MedSec

Soundharya Nagasubramanian
VP, Connectivity & Data Management at Vapotherm

David Nathans
CISO/IT/OT Cybersecurity Officer at Siemens Healthineers

Chris Reed
Sr. Director of Cybersecurity Policy | Global Regulatory Affairs at Medtronic

Axel Wirth
Chief Security Strategist at Medcrypt

This joint Archimedes and UCSF-Stanford Center of Excellence in Regulatory Science and Innovation (CERSI) speaker series consists of one-hour virtual lectures on cybersecurity topics with application to medical device security and biomedical engineering. The key goal is to introduce key concepts of cybersecurity science and engineering via distinguished academic speakers to the biomedical engineering and manufacturing communities. Topics covered include human factors for cybersecurity, trustworthy medical device software, security engineering for machine learning, cybersecurity of computer vision, threat modeling, software bills of materials, software safety, cybersecurity regulations, and the science of cybersecurity. This speaker series is an educational opportunity, not intended to discuss FDA policy.