SBOM Transparency v. Exposure: Evaluating Adversarial Risk in Healthcare

Whitepaper: Dr. Rushanan explains Best Practices for Ensuring Secure… Read Now

Cybersecurity Testing
- - - Cybersecurity Testing
      
      We test medical technologies for resilience, applying deep expertise, advanced tools, and regulatory insight to strengthen systems.
      
      Overview
  - - Cybersecurity Testing Solutions
      
      Hardware Testing
      
      Software & Firmware Testing
      
      Vulnerability Testing
      
      Healthcare IT Systems
Regulatory Support
- - - Regulatory Support
      
      We bring scientific rigor to support FDA and global medical device requirements—on your timeline.
      
      Overview
  - - Regulatory Support Solutions
      
      Compliance Assessment & Submission
      
      Persistent Vulnerability Monitoring
Cyber Engineering
- - - Cyber Engineering
      
      We design resilient, secure software and embedded systems that power connected medical technologies.
      
      Overview
  - - Cyber Engineering Solutions
      
      Security Data & Privacy
      
      Software Design & Development
Proven Success
- - - Featured Case Study
      
      Automated External Defibrillator
      
      Resolving an FDA hold for an AED manufacturer by fixing firmware update vulnerabilities—enabling regulatory approval, renewed sales, and improved postmarket cybersecurity.
      
      Learn More
  - - Proven Success
      
      Our Methodology
      
      Case Studies
- - - Our Methodology
    - Case Studies
Resources
- - - Thought Leadership
    - Whitepapers
Company
Contact Us

Thought Leadership

SBOM Transparency v. Exposure: Evaluating Adversarial Risk in Healthcare

A new case study explores the risks of public SBOM transparency in healthcare, evaluating how adversarial access may reduce exploitation effort and introduce unintended exposure.

The SBOM Transparency Whitepaper Heading

Harbor Labs Chief Scientist Dr. Mike Rushanan served as the Principal Investigator for the paper The SBOM Transparency v. Exposure Dilemma: A Case Study on Adversarial Access to Public SBOMs in Healthcare. This is the second of his two papers to be presented at the upcoming HealthSec 2025 Conference this December in Honolulu, HI.

The FDA recommends that manufacturers publicly disclose a continuously updated Software Bill of Materials (SBOM) to support shared responsibility in cybersecurity risk management, vulnerability assessment, and mitigation. While this is a sound and proven security principle, caution should also be exercised in the public release of SBOMs without first evaluating the potential risks introduced by adversarial access.

To support this point, this paper examines a case study using a de-identified, FDA-compliant SBOM derived from a real-world medical device. Using a large language model (LLM), known vulnerabilities (CVEs) were extracted from the SBOM and an attack blueprint was automatically generated. The attack was then validated in a controlled containerized environment, demonstrating that even a minimally detailed SBOM can reduce adversary effort and streamline exploitation planning. The paper concludes with a recommendation that distinctions be made between the SBOM content provided to regulators, clinical end users, and the general public in order to limit unnecessary exposures.

About the Author

Nick Yuran
CEO

Nick Yuran is the CEO of Harbor Labs. After a career in US intelligence, Nick entered private industry and today applies those experiences in national security to the cyber disciplines he manages at Harbor Labs. As a serial entrepreneur, Nick has led several companies to successful exits, including companies in the satellite, enterprise networking, and cybersecurity markets. His most recent exit was the merger of a medical Internet of Things cybersecurity technology company, and he remains a strong advocate in the medical and healthcare IT security industry today. Nick holds a BA in Slavic Languages from the University of Arizona, and a MS in Telecommunication Engineering from George Washington University.