25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

FDA Releases Guidance on Managing Legacy Medical Device Cybersecurity Risks

Posted By on Nov 17, 2023

The U.S. Food and Drug Administration (FDA) has published a report it commissioned that makes recommendations on how to manage the cybersecurity risks of legacy medical devices. Legacy medical devices are classed as devices that can no longer be reasonably protected against current cybersecurity threats, even though they may still adequately perform their primary function and have a useful life beyond the declared end-of-support or end-of-life date.

When medical devices reach end-of-life, patches stop being released to fix vulnerabilities, and unpatched vulnerabilities can be exploited to gain access to the devices and networks to which they are connected. In many cases, the vendors of the devices cannot continue to issue software patches due to outdated technology and compatibility issues and healthcare delivery organizations (HDOs) may not be able to replace them due to the high cost of doing so. If the devices were to be removed from use, it could have serious implications for patient safety and clinical operations.

Medical devices are regulated by the FDA, which was tasked by Congress in 2022 to ensure the cybersecurity of medical devices. The FDA has already issued final guidance on premarket submissions for medical devices, which must now meet minimum standards for cybersecurity in order to be approved for use in the United States by the FDA. While the final guidance addresses cybersecurity risks associated with new medical devices that come onto the market, it does nothing to address the cybersecurity of the millions of devices that are already in use at hospitals across the United States.

In November 2023, the FDA contracted with MITRE to produce a report on legacy medical devices, which were legally sold and had cybersecurity controls that were effective at the point of purchase but can no longer be reasonably protected. In an ideal world, these devices should be replaced; however, the issue is complex, and it must be managed in a way that minimizes negative impacts on patient care and safety.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

To produce the report, Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks, MITRE interviewed medical device manufacturers, healthcare providers, and cybersecurity experts to identify potential solutions for reducing the cybersecurity risks associated with legacy devices, and the report includes recommendations for reducing cyber risks for hospitals that do not have the resources and budgets to replace the devices. The recommendations address the challenges of shared responsibility over the medical device lifecycle, vulnerability management, workforce development, and mutual aid for less well-resourced healthcare delivery organizations (HDOs).

The 8 recommendations made in the report are:

  • Collection of quantitative and qualitative data to allow HDOs and medical device manufacturers (MDMs) to make informed decisions about the risks and costs of replacement versus the continued use of legacy devices.
  • Development of information sharing agreement templates to increase transparency and ensure appropriate expectations are included for managing legacy medical device security risks.
  • Establishment of a security architecture working group including a broad range of stakeholders to identify and prioritize security controls that may be implemented within an HDO’s infrastructure to improve cyber risk management.
  • Development of a research program in modular design for medical devices. If medical devices were designed to be modular, HDOs could have the option of replacing legacy software or hardware components rather than having to totally replace devices.
  • Conduction of a study on vulnerability management coordination to explore approaches to streamline and improve vulnerability management processes, which are often costly and resource-intensive.
  • Development of competency models for roles related to legacy cyber risk management to help less well-resourced HDOs and support workforce training.
  • Participation in mutual aid partnerships, including ad-hoc relationships, private sector partnerships, and state/local government partnerships.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist