CyberVoices

Why Canada must mandate SBOM’s

As Canadian hospitals and health systems continue to digitize, the medical devices they rely on infusion pumps, diagnostic scanners, pacemakers, and more, are no longer isolated tools. These are software-driven systems increasingly connected to networks, cloud environments, and other devices. With this complexity comes a pressing cybersecurity challenge: how do we ensure these devices are secure, resilient, and transparent in their design? A recent update from the U.S. Food and Drug Administration (FDA) offers a model that Canadian regulators and healthcare providers would be wise to study closely.

The FDA’s 2025 Cybersecurity Mandate: SBOMs Front and Centre 

On June 27, 2025, the FDA released updated guidance titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” Among its most significant provisions is the requirement for manufacturers of "cyber devices" any device that includes software and connects to the internet to submit a Software Bill of Materials (SBOM) as part of their premarket submissions under Section 524B of the FD&C Act.

This SBOM must list all software components, including third-party and open-source code, along with vulnerability disclosures and maintenance plans. The goal is simple: to equip healthcare organizations with the transparency they need to understand, manage, and respond to potential cyber risks hidden within the software supply chain.

What About Canada?

While Health Canada has issued guidance on premarket cybersecurity considerations, it has yet to mandate SBOMs at the same level of detail or enforceability as the FDA. However, as threats rise and as devices become more integrated with EHRs, hospital networks, and cloud platforms, Canada’s approach must evolve.

“Software Bills of Materials (SBOMs) are critical to securing connected medical devices in Canada's healthcare system because they provide essential visibility into software components, enabling proactive management of vulnerabilities throughout a device’s lifecycle. As Health Canada aligns its cybersecurity practices with the FDA's 2025 cybersecurity mandate, Canadian Medical Device Manufacturers (MDMs) should adopt SBOMs as a core element of their security strategy. Furthermore, Canadian Healthcare Delivery Organizations (HDOs) can greatly benefit from obtaining FDA-compliant SBOMs, utilizing them to enhance risk assessment and mitigation processes. By learning from the FDA's emphasis on transparency, continuous risk management, and lifecycle vulnerability controls, both Canadian MDMs and HDOs can significantly strengthen their defenses against cyber threats, safeguard patient safety, and ensure regulatory compliance,” said Dmitry Raidman, CTO and Co-founder of Cybeats.

Currently, Canadian guidance is aligned with international standards like ISO/IEC 81001-5-1 and leverages frameworks such as IMDRF’s cybersecurity principles. But there remains a gap: manufacturers are encouraged but not required to disclose the full software inventory of their devices. This makes it difficult for hospital CISOs, procurement officers, and IT teams to fully assess risk, especially for third-party components with known vulnerabilities.

Expert Insight 

“Today’s medical devices are no longer standalone tools, they are complex, software-enabled systems embedded in a highly connected healthcare environment. While Health Canada and the FDA have issued important guidance to mitigate cybersecurity risks at the device level, health organizations must also look beyond the device to secure the entire digital ecosystem. Solutions out there, help close this gap by enabling real-time visibility and control over every endpoint within an organization, from desktops to servers to containers—helping protect patient care from cyber threats that originate well beyond the device itself.” Nick Matejuk, RVP Public Sector Canada, Tanium

Why SBOMs Must Become the Norm

A Software Bill of Materials isn't just a paperwork exercise, it’s a foundation for trust. Without it, healthcare providers are effectively operating blind when it comes to device security. With it, they can:

• Monitor for known software vulnerabilities
• Track dependencies across their network
• Manage patching cycles intelligently
• Demand accountability from vendors

In cybersecurity, visibility is power. An SBOM helps turn opaque black-box systems into manageable, auditable components of the healthcare infrastructure.

Time for National Alignment

Canada’s healthcare sector should move toward making SBOMs a requirement, not just for imported devices that fall under FDA oversight, but for all devices procured and deployed within the country. This may require collaboration between Health Canada, provincial ministries of health, and hospital CIOs, but the result would be a safer, more transparent healthcare system.

In a world where a ransomware attack can delay life-saving care, national resilience demands more than just firewalls, it requires knowing exactly what’s running under the hood.

About: Francois Guay is the CEO and Founder of the Canadian Cybersecurity Network, On October 14, 2025, CCN will release Pulse Check: Cybersecurity in Canadian Healthcare, a national report examining the state of cyber readiness across hospitals, health authorities, and medical technology. Learn more