Why many existing medical devices fall short of the FDA's new cybersecurity standards

The majority of connected medical devices currently used in healthcare facilities today wouldn't meet the U.S. Food and Drug Administration (FDA)’s latest cybersecurity guidance and requirements if submitted for approval now. In fact, a report conducted by a cybersecurity firm found 53% of connected medical devices and other Internet of Things (IoT) devices in hospitals had known critical vulnerabilities, and approximately one-third of healthcare IoT devices have an identified critical risk, potentially affecting the technical operation and functions of medical devices.

The vast number of legacy devices on the market that do not meet current FDA requirements not only raises concerns around patient safety and compliance but also has a real impact on day-to-day patient care and device availability.

Legacy devices weren’t designed to support updated encryption standards and modern security measures long-term, and as a result, there’s no easy fix. For example, a device that was cleared 20 years ago, using encryption that was state-of-the-art at the time, will most likely be considered insecure now. But the hardware on which that device is based likely doesn’t support modern encryption.

So how can we address these obstacles to ensure legacy devices meet modern security standards? Understanding the FDA's evolving cybersecurity landscape and the real-world implications is intrinsic to successfully addressing these issues.

© Blue Goat Cyber | https://bluegoatcyber.com

The new FDA cybersecurity landscape

In June 2025, the FDA updated its 2023 medical device cybersecurity guidance, outlining what manufacturers needed to consider and provide as part of their premarket submissions, introducing new requirements.

The publication supersedes the FDA’s 2023 cybersecurity in medical devices advice and includes mandatory plans for the entire lifecycle of a device, focusing on design, labeling, and documentation for premarket submissions. Now, medical device manufacturers need to demonstrate security considerations throughout the product lifecycle, including postmarket vulnerability monitoring and patching protocols.

The FDA has also introduced risk assessment approaches for evaluating cybersecurity concerns by distinguishing between controlled and uncontrolled risk. Uncontrolled risk describes situations where a security issue could pose significant threats to patient safety or data. Controlled risk refers to scenarios where security flaws may exist, but the potential harm to patients or data remains relatively low.

These requirements apply to any device that contains software or that has a way of connecting to the internet (including Wi-Fi, cellular, Bluetooth, USB ports, serial ports, magnetic coils, and HDMI), regardless of whether it's currently network-enabled.

The legacy device challenge

The legacy device challenge becomes acute when examining the installed base of medical devices already in clinical use. Certain categories of devices are especially vulnerable:

• Connected devices with outdated operating systems
• Devices with hardcoded credentials or weak authentication
• Medical IoT devices
• Supply chain risks for third-party components
• Devices without remote update capabilities
• Devices no longer supported by the original manufacturers

Clinical workflow dependencies also create practical barriers to addressing legacy device security. Healthcare facilities often can’t simply remove vulnerable devices from service as they're providing critical patient care. In addition, replacing older devices requires capital, as well as a time investment to train staff and redesign workflows.

Medical devices often remain in use for 10 to 15 years or more, far exceeding the support lifecycle of the software components. The cost and complexity of retrofitting security controls into devices that weren't designed with security architecture are considerable.

To this day, the majority of manufacturers don’t follow a security-by-design approach. Instead of integrating cybersecurity from the earliest stages of product development, it is often treated as an add-on feature or compliance checkbox.

© Blue Goat Cyber | https://bluegoatcyber.com

Real-world implications

The consequences of overlooking cybersecurity can be severe, ranging from compliance issues to patient safety risks. Devices that don’t support regular patch updates and have built-in cybersecurity risks cause delays for healthcare providers when updates fail and need to be rolled back. I’ve seen “routine” patches sideline critical equipment for days, leaving HTM professionals in crisis mode trying to fix issues they didn’t cause.

But the most concerning consequence of overlooking cybersecurity is the potential impact on patient safety. MedTech cybersecurity is not just about protecting data; it’s about safeguarding human lives. Compromised devices could cause harm to a patient, misdiagnosis, or delayed diagnosis.

And this is no longer just a concern for healthcare facilities. Under the new FDA framework, manufacturer liability and risk exposure substantially increased. Earlier this year, the U.S. Department of Justice (DOJ) issued a $9.8 million False Claims Act settlement with Illumina. The enforcement wasn’t triggered by a breach, ransomware, or a data leak, but based on allegations that the company misrepresented its cybersecurity capabilities when selling sequencing platforms to federally funded institutions.

Successfully managing legacy devices

To help overcome these obstacles, several immediate priorities and long-term strategies should be considered.

1. Comprehensive security assessments

   Begin with a thorough inventory and risk assessment of your entire product portfolio. Understand your devices’ current security capabilities and identify vulnerabilities with the help of penetration testing, vulnerability scanning, and threat modeling.

2. Prioritize devices by risk level

   Develop a risk-based prioritization framework using the FDA’s guidance on controlled and uncontrolled risks, considering both the severity of potential cybersecurity impacts and business factors.

3. Monitor and disclose vulnerabilities

   Postmarket management shouldn’t just be about documenting security measures. It should highlight what you are doing to monitor deployed devices, including disclosing the frequency and types of testing being conducted and the process for when problems are identified.

4. Roadmaps for high-risk devices
   Develop a detailed remediation plan for devices identified as high-risk and be transparent about residual risks with healthcare customers, as well as providing guidance on compensating controls they can implement.

As an industry, we need to change how we approach device development and lifecycle management. Cybersecurity is often overlooked as an afterthought when it should be integrated from the concept and design phase. New devices should be designed with secure remote update mechanisms that enable rapid deployment of security patches throughout their lifecycle.

While internal security testing is essential, external perspectives from specialized cybersecurity firms that can run penetration tests to identify blind spots in your security programs will distinguish you from competitors.

The most important factor of all, whether your device is premarket or legacy, is to be transparent with your customers. Healthcare facilities require clear, timely information about vulnerabilities, available patches, and recommended configurations. By addressing both immediate risks and long-term strategic needs, manufacturers can contribute to a healthcare ecosystem that safely leverages connectivity and software innovation while protecting patients from cyber threats.

About the author: Christian Espinosa is founder and CEO of Blue Goat Cyber.