Cybersecurity for Legacy Devices

Management Summary

Cybersecurity for Legacy Medical Devices: Managing Risk and Securing Compliance

Legacy medical devices often deliver safe clinical performance but were built under earlier cybersecurity expectations. When manufacturers seek a new regulatory submission or re-certification (even for changes unrelated to cybersecurity), the submission may be delayed or rejected if the device does not meet current cybersecurity requirements.

Cybersecurity and Compliance: Critical for Patient Safety and Regulatory Approval

• Regulators are raising the bar for medical device cybersecurity across the entire product lifecycle (pre-market and post-market).
• Hospitals continue to rely heavily on legacy technology, making immediate device replacement often impractical.
• The goal is to retrofit cybersecurity where technically feasible and apply compensating controls to reduce risk—without requiring a full redesign.

Legacy Devices at a Glance: Usage, Vulnerabilities and Regulatory Metrics

• 53% of connected medical and IoT devices in hospitals have known critical vulnerabilities.
• 73% of healthcare providers still rely on equipment operating on legacy systems (2021 survey).
• U.S. hospitals alone are estimated to operate 10–15 million medical devices.
• The FDA clears roughly 3,000–3,500 new medical device submissions per year via the 510(k) pathway.

Recognizing Technical Risks: Obsolete Systems, Missing Patches and Weak Authentication

Many legacy medical devices:

• Operate on obsolete or unsupported operating systems or software components.
• Use weak authentication mechanisms (default or hardcoded credentials) and limited authorization controls.
• Lack robust patch and update mechanisms.
• Do not provide hardware support for modern cryptographic standards.

Result: Cybersecurity gaps that are difficult to remediate internally but must nevertheless be controlled to meet modern regulatory expectations.

Security Strategy for Legacy Devices: Retrofit, Protect and Control

Recommended Measures

• Conduct a comprehensive security assessment and establish a prioritized risk register.
• Apply technically feasible patches and system hardening measures while documenting existing constraints.
• Implement network segmentation and allow-listing as fast and effective compensating controls.
• Introduce authentication and role-based access control (RBAC) via secure gateways where device capabilities are limited.
• Deploy monitoring and virtual patching mechanisms (IDS/IPS, firewall, proxy).
• Define a lifecycle and end-of-life (EOL) strategy, including clear redesign trigger criteria.

Achieving Controlled Risk: Operating Legacy Medical Devices in a Regulatory-Compliant Manner.

Legacy devices can often be aligned more closely with current cybersecurity expectations through targeted remediation combined with robust compensating controls. This approach can reduce risk to an acceptable and controlled level—sufficient to support regulatory submissions—while enabling structured planning for eventual replacement where necessary.

In the following technical article, you will find deeper insights into risks, regulatory requirements, and practical measures for strengthening cybersecurity in legacy medical devices.

1. Introduction

Designing a new medical device with security in mind (“security by design”) allows architects to segregate critical components, protect assets in secure storage, and enforce authentication and authorization on interfaces.

This proactive approach works well for greenfield projects. But what happens when the field is not so green? Many MedTech organizations have legacy medical devices – products built years ago under older rules – that now require new regulatory submissions or updates. Often, these submissions are unrelated to cybersecurity, yet they get delayed or rejected because the device fails to meet today’s cybersecurity regulations.

The majority of connected medical devices in use today would not satisfy the U.S. FDA’s latest cybersecurity requirements if submitted for approval now; in fact, over 53% of connected medical and IoT devices in hospitals have known critical vulnerabilities. A vast number of devices on the market do not meet current FDA cybersecurity expectations, raising serious concerns for patient safety and compliance.*¹

This issue is not confined to the United States. Thousands of legacy medical devices in Europe face a similar predicament under new EU rules. Under the EU Medical Device Regulation (MDR), many existing (legacy) devices that were approved under older directives must be re-certified. As of 2023, applications for MDR certification surged from 1’661 in 2020 to 14’539 in 2023, yet only 4’873 certificates had been issued, leaving almost 10’000 products (mostly legacy devices) still waiting for certification.

In other words, many legacy devices risk being pulled from the EU market if they cannot achieve MDR certification in time. Switzerland, which aligns closely with EU regulations, faces similar challenges ensuring older devices meet updated requirements. Meanwhile, new devices continue to enter the market: the FDA clears roughly 3’000–3’500 new device submissions per year via its 510(k) program.

This means regulators and healthcare providers face a two-fold challenge: integrating thousands of new  medical devices each year while millions of older devices without modern security features remain in use.*²

The scale of the legacy device problem is significant. A 2021 survey found 73% of healthcare providers still rely on equipment running on legacy systems. In the United States alone, IBM estimated hospitals house 10–15 million medical devices (about 10–15 devices per patient bed), and a significant portion of these operate on outdated or unsupported software.

Many of these aging devices lack secure design:

• they run obsolete operating systems
• use hardcoded passwords
• weak authentication
• cannot be easily patched or updated.

A device cleared 20 years ago might use encryption that was state-of-the-art at the time but is now considered insecure – and its hardware may not even support modern encryption algorithms. Replacing every legacy device with a brand-new model is often impractical due to cost, time, and the need to avoid disrupting patient care.

Therefore, organizations are looking for ways to retrofit cybersecurity into legacy medical devices. Below, we highlight five key techniques to update a legacy device’s architecture and practices to meet today’s cybersecurity regulations – without a complete ground-up redesign (which we consider as a last resort if everything else fails).

Here at IMT, we hear from a lot of customers that they face these challenges right now, and we are happy to assist you with this challenge.

Applying Software or Firmware Updates
Where technically possible, apply software or firmware updates to the legacy device to fix known vulnerabilities. Many legacy devices run on outdated operating systems or on software components that no longer receive vendor support. If updates are available—for example, a Windows security patch or a firmware update from the device vendor—apply them to bring the device closer to compliance. In some cases, upgrading the device’s operating system to a newer, supported version (if the hardware can handle it) dramatically improves security.

At minimum, implement secure configuration hardening: disable unused network ports or services, replace hardcoded passwords, and enforce stronger authentication if the device’s software allows. Each incremental patch or security improvement can help reduce “uncontrolled risk” in regulatory terms. For instance, after high-profile vulnerabilities in implantable devices were discovered, some manufacturers issued firmware updates adding features like Secure Boot, encryption, or PIN codes without changing the device’s core design.

Mitigating Unpatchable Devices
However, not all legacy devices can be patched or upgraded—many have no update mechanism, or the manufacturer no longer supports them. Often there is no hardware capability for modernization. In such cases, remaining vulnerabilities must be documented and mitigated through compensating controls.

Regulatorily, it is critical to provide proof of a risk-based prioritization and a documented plan for addressing vulnerabilities. Regulatory bodies expect transparent communication of remaining residual risks to customers (e.g., hospitals) along with practical guidance for mitigation.

IMT can perform security assessments, vulnerability scanning, and threat modeling for your legacy product—and, of course, for any new product as well.

Implementation in Practice
In practice, network segmentation is often implemented with firewalls, virtual LAN configurations, and zero-trust network principles. Only essential communication to and from the device is allowed, and all other traffic is blocked. Hospitals can create a “medical device network” where legacy devices communicate with a gateway or server but cannot initiate connections to the wider hospital intranet or internet. This reduces the attack surface drastically. If a legacy device has known vulnerabilities that cannot be patched, isolating it ensures that an attacker cannot easily reach it or, if the device is somehow breached, that the damage is confined. Segmentation is recommended by cybersecurity frameworks and industry groups as a primary mitigative control for legacy technology.

Network-Based Security Controls
Additionally, consider using network-level protections like network access control (NAC). NAC can enforce device authentication when connecting to the network and ensures that only authorized devices are present. Even simple measures like placing legacy devices behind an internal VPN or a jump-host can add a layer of isolation. The bottom line is that a legacy device should never sit exposed in an open network. By virtually air-gapping or firewalling legacy systems, organizations can meet many regulatory expectations for risk control measures, since even if the device itself isn’t up to modern standards, the surrounding network is designed to protect it.

IMT experts can help you find the best measures for your specific environment.

Physical Security Controls
Physical security controls are also crucial. Ensure that legacy devices located in hospitals or labs are in controlled areas where only authorized staff can physically interact with them, preventing unauthorized connections via USB or service ports. Modern regulations like the FDA guidance expect manufacturers to address authentication and access in their submissions – confirming that only trusted users and updates can interface with the device. If the device cannot natively support strong user authentication, document which compensating controls (like network-based authentication or physical key locks) are in place to restrict access.

Perimeter Authentication and Certificates
Another technique is implementing device identity and certificates at the network level. Some hospitals use overlay systems where each device (even legacy ones) is tracked by a management system or agent that requires a valid certificate for network communication. This perimeter-based authentication ensures that rogue devices or software cannot impersonate the legacy device and that it communicates only with trusted systems.

In summary, strengthening logical and physical access control helps bring a legacy device closer to today’s security best practices without necessarily altering hardware or firmware. Based on threat assessment and your product’s specific needs, IMT experts can assist in hardening your device against real threats in the field.

Strong Perimeter Defenses
Strong perimeter defenses are a broader category of compensating controls. These include network firewalls, intrusion detection systems (IDS), and even application-layer gateways that sit between the legacy device and external connections. An IDS/IPS can monitor the legacy device’s traffic for any suspicious activity or known attack patterns. If detected, the system can alert staff or actively block the traffic. Similarly, placing an application-layer proxy in front of the device can enforce protocol correctness and drop unexpected commands, which is especially useful if a device uses an older unsecured protocol. This acts like a shield around the device’s vulnerabilities.

Whitelisting and Command Segmentation
Another compensating control is whitelisting and segmentation of commands. For instance, if a legacy device should only receive instructions from a specific hospital server, configure network rules so it only accepts connections from that server’s IP address. You can also use data diodes or unidirectional gateways if the device only needs to send data out (ensuring nothing can connect in reverse). All these measures constitute virtual patching strategies that address security gaps without altering the device itself.

Regulatory Documentation
It is important to document these measures in regulatory submissions. Regulatory bodies acknowledge that legacy devices might need such compensating controls. Guidance for legacy device cybersecurity by industry groups recommends using firewalls, network segmentation, and monitoring as compensating controls to mitigate risks on unsupported devices. By implementing virtual patches and robust perimeter security, manufacturers and healthcare providers can demonstrate that even if a device is old, it can be surrounded by defenses to bring its overall risk down to an acceptable (controlled) level.

Long-Term Solutions
Ultimately, if these measures are insufficient, replacing the device with a modern secure version may be necessary for long-term safety – which leads to the final point.

Regulatory Pressure and Market Reality
Regulatory trends in both the US and EU support this approach. The EU MDR, for example, prompted many companies to decide not to re-certify certain legacy products at all – instead opting to discontinue them if upgrading to “state-of-the-art” security and clinical evidence is too burdensome. In one industry survey, 54% of responding manufacturers said they do not intend to transition some of their older devices to MDR, often due to the high costs and difficulties of upgrading legacy products to meet new requirements. Manufacturers’ device portfolios are expected to shrink by about 20% on average, as many legacy devices are retired rather than redesigned. This reflects a hard truth: in some cases, the only way to truly secure a legacy device is to build a new generation of that product with security by design from the start.

Cost–Benefit Considerations for Decision Makers
For key decision makers evaluating whether to invest in legacy device cybersecurity, it is important to weigh the costs and benefits of remediation versus replacement. Often, the techniques in this article – assessments, patching, network protections, and related measures – can buy several years of safe use for a legacy device and satisfy regulators in the near term. This can be far more cost-effective and faster than an immediate redesign. However, those stop-gap measures should be coupled with a roadmap for eventually phasing out or fundamentally redesigning the device to meet future regulations. Regulators like the FDA now mandate cybersecurity planning across the entire product lifecycle, which implies that if a device’s remaining life is long, it either needs continuing security support or a defined end-of-life strategy. In practical terms, this might mean designing a “Mark II” version of the device that will replace the legacy model in a few years. Engaging in early redesign planning also signals to regulators and clients that the manufacturer is proactive about patient safety.

IMT Lifecycle Support
IMT can offer support across the entire product lifecycle. We can also create a redesign of your product while your experienced engineers handle maintenance of the legacy product in the field, ensuring a smooth transition within a reasonable timeframe.