Managing Cyber Risk: A Systematic Approach For Legacy Medical Devices

Legacy medical devices often remain in use long after their operating systems, firmware, and security protections have become outdated, creating significant challenges for manufacturers. These devices expose healthcare providers and patients to cybersecurity risks while also drawing heightened regulatory scrutiny. Addressing these risks requires a structured, risk-informed approach to evaluating, prioritizing, and managing legacy devices in the field.

The process begins with discovery—understanding which models are still deployed, where they are used, and whether they are connected to networks or support critical care. This often requires collaboration with hospitals, who may lack complete inventories or awareness of device risks. Once identified, devices should undergo a systematic assessment that considers technical feasibility, regulatory gaps, and clinical impact. This includes examining update potential, encryption and access controls, SBOM availability, monitoring practices, and alignment with FDA, NIST, ISO, and IMDRF guidance.

Based on this assessment, manufacturers can choose among three main paths: remediate the device with secure updates, implement compensating controls like network segmentation or monitoring, or contain/document risks for lower-priority systems. Each path requires clear documentation, updated SOPs, and transparent communication with stakeholders. A major challenge is revalidation, since even minor updates may trigger costly retesting and regulatory filings.

Ultimately, managing legacy medical devices is both a technical and strategic task. Proactive, well-documented decisions not only reduce liability but also demonstrate regulatory leadership, strengthen provider relationships, and extend the safe use of trusted devices. With the right approach, legacy doesn’t have to mean liability.