Episode 11 · November 4, 2025 · 18m listen · 3,314 words · ~17 min read
Cyber Risk Management for MedTech Legacy Devices | Ep. 44 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 11 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
In this episode of the Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery of Blue Goat Cyber delve into the complex cybersecurity challenges surrounding legacy medical devices. They define legacy devices as those cleared by the FDA under previous, less stringent cybersecurity guidelines, which are now widely deployed in healthcare settings but often lack modern security controls. The core problem, as discussed, is the infeasibility of simply replacing or redesigning these thousands of devices, many of which have hardware limitations that prevent simple software patches or updates. The hosts explore how medical device manufacturers can navigate this landscape from both a regulatory and a practical cybersecurity perspective.
The main argument of the episode centers on the FDA's evolving approach to legacy device management. Slattery explains that the FDA is moving away from a one-size-fits-all requirement for complete security overhauls and toward a more nuanced, risk-based pathway. A critical concept introduced is the distinction between "uncontrolled risk" and "controlled risk." Uncontrolled risk refers to vulnerabilities that could lead to significant patient harm, making them unacceptable. In contrast, controlled risks are those with minimal, manageable impacts on patient safety that might be deemed acceptable. The hosts detail how this distinction affects the regulatory process: if a manufacturer makes a change to a legacy device unrelated to security (e.g., updating a clinical algorithm), they may be able to follow a reduced documentation pathway by providing a risk assessment, a Software Bill of Materials (SBOM), and a post-market management plan. However, if the change is security-related, such as altering a communication protocol, the device will likely be subject to the full, rigorous cybersecurity requirements applied to new devices, which could necessitate a complete redesign.
The podcast concludes by emphasizing the need for a proactive, total-product-lifecycle approach to cybersecurity, extending from initial design to final disposal. Espinosa and Slattery advocate for manufacturers to be fully aware of the vulnerabilities in their legacy products through measures like penetration testing and maintaining a comprehensive SBOM. They argue that this awareness is only useful when it becomes actionable. This includes implementing a robust post-market surveillance and management plan to monitor for new threats and, crucially, communicating identified risks to the healthcare organizations using the devices. By doing so, manufacturers empower users to implement their own mitigating controls, such as network segmentation or firewalls, creating a collaborative defense against potential cyber threats and ensuring patient safety.
Key takeaways from this episode
Legacy medical devices are those approved under older FDA guidance, often lacking modern security controls and facing hardware limitations that prevent easy updates.
The FDA is shifting from demanding full redesigns for legacy devices to a risk-based approach, distinguishing between acceptable 'controlled' risks and unacceptable 'uncontrolled' risks.
Updates to a legacy device unrelated to security may only require a risk assessment, a post-market plan, and an SBOM.
However, any change that impacts a legacy device's cybersecurity posture will trigger the FDA's full, modern cybersecurity submission requirements, just as if it were a new device.
It is impractical and costly to recall and replace all legacy devices, making proactive post-market management and risk mitigation essential.
Security for medical devices should be considered throughout the entire product lifecycle, from initial design concept to final disposal.
Manufacturers should perform proactive security testing, like penetration tests, on their legacy devices to understand the current risk landscape.
Awareness of vulnerabilities must be made actionable by communicating risks to healthcare providers, enabling them to implement compensating controls like network segmentation.
Christian: Hi, welcome back to the Med Device Cyber podcast. Today we're talking about medical legacy devices, Medtech legacy devices and some of the challenges with securing them from a cyber security perspective and what some of the regulatory bodies such as the FDA think about legacy devices and how you can come up with a strategy to help mitigate some of the risk associated from a regulatory perspective as well as as a cyber security perspective.
Christian: I'm your host Christian Espinosa and I'm here with our co-host Trevor Slattery. He's joined us from his tiny apartment in San Francisco because for some reason he decided to move to California. How's it going today, Trevor?
Trevor: Well, it's going great. And let me tell you why I decided to move to California. I just got off the Rubicon this weekend, had a blast out there in the desert, in the rocks. Um, going out fishing, going out on the Jeeps, and it was only a two-hour drive from here. So.
Christian: We have plenty of desert and rocks here in Arizona.
Trevor: But you don't have the most famous off-roading trail of all time.
Christian: Is that where they named the Jeep, that one version called the Rubicon?
Trevor: Yeah. Yeah, the Rubicon was an old, um, old trading route from Reno to Sacramento, way, way, way, way, way back, hundreds of years ago. And then everyone got super into bashing Jeeps against the rocks in it. So took us six and a half hours to go five and a half miles on it. That's the kind of pace that we're making on that trail, but.
Christian: Was that on your Jeep or did you rent a Jeep?
Trevor: No, that was on my buddy's Jeep. He's got super customized Wrangler. My, uh, my little traffic cone suburban Jeep would not get up there.
Christian: I didn't think so. Awesome. So what should, uh, medical device manufacturers know about these legacy devices from a regulatory and a cyber security perspective.
Trevor: Well, there are a couple of big things going on with some shifts that we're seeing in how the FDA, the regulators are handling legacy devices, what really needs to go into that. Um, and one great thing that happened pretty recently is some changes to the FDA's guidance on cybersecurity as well as changes into what's accepted as part of eSTAR.
Trevor: And so we'll dive into all of those specific changes in a bit here, but I'll step back a little bit and talk about the legacy device problem. So legacy devices are essentially considered anything that was cleared and approved under or just cleared, not approved, under previous guidance before September of 2023, meaning that modern cybersecurity controls and guardrails have not been put into the device.
Trevor: There's an issue with these devices have already been cleared, they're on the market, they're in hundreds or thousands of hospitals. We can't just say we have to clean all these up and try to fit them to new cybersecurity standards. Some of them might not even be capable of it. So what do we do to fix this problem?
Trevor: The FDA is looking at some pathways to try to bridge these devices closer and closer to modern requirements without needing to effectively redesign and start over. So, that's kind of the background on where we're coming into with the problem. And then it's going to be a little bit implementation specific for the solution, but in general, it's just figuring out how can we make old devices a little bit more safe and a little bit more secure, since they aren't always up-to-code with the modern standards.
Christian: Yeah, and a lot of people think, well let's just replace all those devices with newer ones, but that's a larger problem than most people realize because it's not just a, a replace, uh, and just assume everything's going to be fine. You also have to train all the staff on how to use a new device. There's a big learning curve. A lot of healthcare delivery organizations don't want to pay for new devices. So it's a bigger problem than just like patching, like we typically do in IT and, uh, or updating a device.
Trevor: Yep. And that's a big part of it, is we can take some examples. The easiest one is encryption. Since encryption, it's a bit of an arms race between computing power and encryption strength. The stronger computers get, the easier it's going to be for them to break certain types of encryption, but then new encryption gets stronger since there are new computer processors that can encrypt and decrypt information faster. So, it's a little bit of an arms race in that regard.