Skip to main content
    All Episodes
    Episode 045 · November 4, 2025 · 18m listen

    Cyber Risk Management for MedTech Legacy Devices | Ep. 44

    Episode Summary

    This episode of The Med Device Cyber Podcast delves into the complex challenges of securing MedTech legacy devices, offering crucial insights for product security teams, regulatory leads, and engineers. The hosts discuss the FDA's evolving guidance on cybersecurity for devices cleared before September 2023, emphasizing that these older products often lack modern cybersecurity controls and cannot simply be upgraded. A key focus is on the distinction between "controlled" and "uncontrolled" risk, with the FDA encouraging manufacturers to meticulously define and assess these risks in relation to patient safety and data. The conversation highlights the impracticality of replacing all legacy devices due to significant training and financial hurdles for healthcare delivery organizations. The episode explores reduced burden pathways for legacy devices, particularly when making non-cybersecurity-related changes, suggesting that a Software Bill of Materials (SBOM) and a robust postmarket management plan are essential. This plan should include periodic security testing, vulnerability monitoring, and transparent communication of risks to users. The importance of a total product lifecycle approach to cybersecurity—from design to disposal—is stressed, providing manufacturers with actionable strategies to enhance the security posture of their legacy devices. The episode critically examines when to apply the full security process versus leveraging new FDA options to manage cybersecurity risks effectively.

    Key Takeaways

    • 01The FDA is shifting its guidance on legacy medical devices cleared before September 2023, acknowledging that many cannot be upgraded to modern cybersecurity standards.
    • 02Manufacturers must differentiate between "controlled" and "uncontrolled" risks, explicitly defining situations that pose significant threats to patient safety or data versus minor issues.
    • 03For legacy devices undergoing non-cybersecurity changes, the FDA offers reduced burden pathways, emphasizing a Software Bill of Materials (SBOM) and comprehensive postmarket management plans.
    • 04Postmarket management plans are critical for legacy devices and should include continuous monitoring, periodic security testing (like penetration testing), and tracking of known exploited vulnerabilities identified through SBOMs.
    • 05A total product life cycle approach to cybersecurity, from initial design to device disposal, is essential for mitigating risks, with transparency and communication of risks to end-users being paramount.
    • 06When making security-specific changes to legacy devices, manufacturers must undertake the full security process, including comprehensive documentation, testing, and effort to ensure device security.
    • 07Replacement of all legacy devices is often not feasible due to the significant cost, logistical challenges, and training requirements for healthcare delivery organizations.

    Frequently Asked Questions

    Quick answers drawn from this episode.

    • This episode of The Med Device Cyber Podcast delves into the complex challenges of securing MedTech legacy devices, offering crucial insights for product security teams, regulatory leads, and engineers.

    • The FDA is shifting its guidance on legacy medical devices cleared before September 2023, acknowledging that many cannot be upgraded to modern cybersecurity standards. Manufacturers must differentiate between "controlled" and "uncontrolled" risks, explicitly defining situations that pose significant threats to patient safety or data versus minor issues....

    • This episode covers SBOM Management and Penetration Testing. It's part of The Med Device Cyber Podcast, hosted by Blue Goat Cyber, focused on practical medical device cybersecurity guidance for MedTech teams.

    • A key focus is on the distinction between "controlled" and "uncontrolled" risk, with the FDA encouraging manufacturers to meticulously define and assess these risks in relation to patient safety and data. It's most useful for medical device manufacturers, cybersecurity engineers, regulatory affairs professionals, and MedTech founders...

    • The FDA is shifting its guidance on legacy medical devices cleared before September 2023, acknowledging that many cannot be upgraded to modern cybersecurity standards.

    Listeners also asked

    Quick answers pulled from related episodes.

    Share this episode

    Pre-fills with: "The FDA is shifting its guidance on legacy medical devices cleared before September 2023, acknowledging that many cannot be upgraded to modern cybersecurity standards."

    Hi, welcome back to The Med Device Cyber Podcast. Today, we are talking about medical legacy devices, MedTech legacy devices, and some of the challenges with securing them from a cybersecurity perspective. We will also discuss what some of the regulatory bodies, such as the FDA, think about legacy devices and how you can come up with a strategy to help mitigate some of the risk associated from a regulatory perspective, as well as a cybersecurity perspective. I am your host, Christian Espinosa, and I am here with our co-host Trevor Slatter. He is joining us from his tiny apartment in San Francisco, because for some reason he decided to move to California. How is it going today, Trevor? Well, it is going great, and let me tell you why I decided to move to California. I just got off the Rubicon this weekend. I had a blast out there in the desert in the rocks. I was going out fishing, going out on the Jeeps, and it was only a two-hour drive from here. We have plenty of desert and rocks here in Arizona, but you do not have the most famous off-roading trail of all time. Is that why they named the Jeep that one version, called the Rubicon? Yeah. Now, the Rubicon was an old trading route from Reno to Sacramento, way, way, way, way back hundreds of years ago. Then, everyone got super into bashing Jeeps against the rocks in it. It took us six and a half hours to go five and a half miles on it. That is the kind of pace that we are making on that trail. Was that on your Jeep or did you rent a Jeep? No, that was on my buddy’s Jeep. He has got a super customized Wrangler. My little traffic cone suburban Jeep is not getting up there. I did not think so. Awesome. So, what should medical device manufacturers know about these legacy devices from a regulatory and a cybersecurity perspective? Well, there are a couple of big things going on with some shifts that we are seeing in how the FDA and the regulators are handling legacy devices. What really needs to go into that? One great thing that happened pretty recently is some changes to the FDA’s guidance on cybersecurity, as well as changes into what is accepted as part of EAR. We will dive into all of those specific changes in a bit here, but I will step back a little bit and talk about the legacy device problem. Legacy devices are essentially considered anything that was cleared or just cleared—not approved—under previous guidance before September of 2023. This means that modern cybersecurity controls and guardrails have not been put into the device. There is an issue with these devices: they have already been cleared, they are on the market, and they are in hundreds or thousands of hospitals. We cannot just say we have to clean all these up and try to fit them to new cybersecurity standards. Some of them might not even be capable of it. So, what do we do to fix this problem? The FDA is looking at some pathways to try to bridge these devices closer and closer to modern requirements without needing to effectively redesign and start over. So, that is kind of the background on where we are coming into with the problem. Then, it is going to be a little bit implementation specific for the solution, but in general, it is just figuring out how can we make old devices a little bit more safe and a little bit more secure, since they are not always up to code with the modern standards. Yeah. And a lot of people think,

    Hosted by

    Explore every episode in the topics covered here.

    More from your hosts

    Other episodes diving into Christian and Trevor's areas of focus.

    Episodes covering similar ground - including SBOM, Pen Testing.

    Why this matches shares the Pen Testing topic and covers similar themes around legacy, plans, modern.

    Why this matches shares the SBOM topic and covers similar themes around end-users, management, manage.

    Why this matches shares the SBOM and Pen Testing topics and covers similar themes around legacy, known, bill.

    Why this matches shares the SBOM topic and covers similar themes around legacy, assess, organizations.

    Listen to this episode