Legacy medical devices — those that cannot be reasonably protected against modern cybersecurity threats — pose a serious risk to healthcare institutions. These devices remain in use due to their clinical utility, regulatory complexities, and financial constraints. However, as cyber threats evolve, outdated medical technologies are more susceptible for exploitation, jeopardizing patient safety, hospital operations, and regulatory compliance.

The scale of the problem is significant. A 2021 survey by Kaspesky found that 73% of healthcare providers still rely on medical equipment running on legacy systems. In the United States alone, IBM estimates that hospitals house between 10 to 15 million medical devices, averaging 10–15 connected devices per patient bed. A significant portion of these devices operate on outdated or unsupported software, leaving them highly vulnerable to cyberattacks.

As cyber threats continue to escalate, healthcare delivery organizations (HDOs) and medical device manufacturers (MDMs) must take proactive steps to manage these risks. Addressing the security challenges of legacy devices requires a strategic approach that balances cybersecurity best practices with the practical needs of clinical care.

The Cybersecurity Risks of Legacy Medical Devices

1. Inherent Security Challenges

The average lifecycle of medical devices often exceeds 15 to 20 years, while cybersecurity threats evolve at a much faster pace. According to the Health Industry Cybersecurity — Managing Legacy Technology Security (HIC-MaLTS) Report, key risks associated with legacy medical devices include:

• Lack of Security Patching: Many legacy devices rely on outdated or unsupported operating systems (OSs), leaving them vulnerable to cyber threats.
• Insecure Network Connectivity: Older devices were not designed with modern security controls, making them easy targets for exploitation when connected to hospital networks.
• Integration with Modern IT Systems: Legacy devices often interact with newer IT infrastructure, creating security gaps that attackers can exploit.
• Software Bill of Materials (SBOM) Challenges: Without full visibility into software components, hospitals may struggle to identify and mitigate vulnerabilities.

2. The Cost of Inaction

Failing to address cybersecurity risks in legacy medical devices can result in serious security and operational challenges, including:

• Ransomware attacks that can disrupt critical hospital operations potentially causing delays in patient care.
• Legacy devices may be at risk of being compromised not because they are specifically targeted but because they fit the attack profile of an attacker or malware looking for outdated or unpatched systems.
• Unauthorized access to medical data, leading to potential data breaches and HIPAA violations.
• Regulatory non-compliance, particularly as global regulators require stronger security measures for medical devices.

A 2023 report by IBM Security found that the healthcare industry had the highest data breach costs for the 13th consecutive year, averaging $10.93 million per breach. Given that legacy medical devices account for a large portion of unpatched vulnerabilities, securing them is no longer optional — it is an area HDOs and MDMs will need to invest in.

Best Practices for Securing Legacy Medical Devices

Cybersecurity is a shared responsibility between MDMs and HDOs. To manage legacy device risks effectively, Health Industry Cybersecurity Managing Legacy Technology Security (HIC-MaLTS) suggest organizations should:

1. Strengthening Governance & Risk Management

• Establish a Medical Technology/IoT Management Committee: This cross-functional team,including clinical, IT, and security professionals, should oversee cybersecurity risk management for medical devices.
• Define a Risk Management Strategy: A formal risk assessment approach, such as ISO 14971, should be used to evaluate security risks beyond traditional probability-based assessments.
• Develop a Lifecycle Management Plan: This should outline key milestones such as End of Life (EOL) and End of Support (EOS) to proactively plan device upgrades or security mitigations.

2. Improving Communication Between Stakeholders

• Coordinated Vulnerability Disclosure (CVD): MDMs should establish formal CVD programs to allow third parties, e.g., security researchers, to submit newly found vulnerabilities and jointly manage the resolution process including public disclosure.
• Security Agreements in Contracts: Cybersecurity expectations, such as SBOM transparency, patching support, and EOL/EOS communication should be clearly defined in procurement agreements.
• Proactive End-of-Life Notifications: MDMs should inform HDOs well in advance when devices will reach EOL, allowing time for security planning or replacement.

3. Implementing Cybersecurity Controls for Legacy Devices

• Network Segmentation: Isolate legacy devices from critical hospital systems to prevent unauthorized access or security compromise.
• Network Monitoring and Intrusion Detection: Deploy security monitoring tools that detect unusual behavior in medical device networks.
• Access Control Mechanisms: Limit user access based on roles to prevent unauthorized modifications.
• Virtual Patching: Apply compensating controls such as firewall rules or intrusion prevention systems (IPS) when manufacturer patches are unavailable.

4. Planning for the Future

To minimize future cybersecurity risks, healthcare organizations must:

• Include Legacy Device in your Replacement Planning: Identify at-risk devices and include them in your organization’s replacement planning based on the devices’ respective security exposure and clinical criticality.
• Require Secure-by-Design Devices: Future device procurement should mandate cybersecurity best practices from manufacturers.
• Develop a Decommissioning Strategy: Establish formal guidelines for retiring and securely disposing of obsolete devices.
• Leverage Emerging Security Technologies: AI-driven anomaly detection and zero-trust security models can enhance legacy device protection.

Conclusion

As cyber threats targeting healthcare organizations continue to escalate, securing legacy medical devices is no longer optional — it’s a necessity. While replacing all outdated devices may not be feasible in the short term, implementing strong risk management frameworks, enhancing collaboration between MDMs and HDOs, and deploying compensating cybersecurity controls can significantly reduce security risks.

The challenge is complex, but by adopting a proactive cybersecurity approach, we can protect patient safety while ensuring healthcare organizations remain resilient against emerging threats.