Episode 45 · November 4, 2025 · 18m listen · 626 words · ~3 min read
Cyber Risk Management for MedTech Legacy Devices | Ep. 44 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 45 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
This episode of The Med Device Cyber Podcast delves into the complex challenges of securing MedTech legacy devices, offering crucial insights for product security teams, regulatory leads, and engineers. The hosts discuss the FDA's evolving guidance on cybersecurity for devices cleared before September 2023, emphasizing that these older products often lack modern cybersecurity controls and cannot simply be upgraded. A key focus is on the distinction between "controlled" and "uncontrolled" risk, with the FDA encouraging manufacturers to meticulously define and assess these risks in relation to patient safety and data. The conversation highlights the impracticality of replacing all legacy devices due to significant training and financial hurdles for healthcare delivery organizations. The episode explores reduced burden pathways for legacy devices, particularly when making non-cybersecurity-related changes, suggesting that a Software Bill of Materials (SBOM) and a robust postmarket management plan are essential. This plan should include periodic security testing, vulnerability monitoring, and transparent communication of risks to users. The importance of a total product lifecycle approach to cybersecurity—from design to disposal—is stressed, providing manufacturers with actionable strategies to enhance the security posture of their legacy devices. The episode critically examines when to apply the full security process versus leveraging new FDA options to manage cybersecurity risks effectively.
Key takeaways from this episode
The FDA is shifting its guidance on legacy medical devices cleared before September 2023, acknowledging that many cannot be upgraded to modern cybersecurity standards.
Manufacturers must differentiate between "controlled" and "uncontrolled" risks, explicitly defining situations that pose significant threats to patient safety or data versus minor issues.
For legacy devices undergoing non-cybersecurity changes, the FDA offers reduced burden pathways, emphasizing a Software Bill of Materials (SBOM) and comprehensive postmarket management plans.
Postmarket management plans are critical for legacy devices and should include continuous monitoring, periodic security testing (like penetration testing), and tracking of known exploited vulnerabilities identified through SBOMs.
A total product life cycle approach to cybersecurity, from initial design to device disposal, is essential for mitigating risks, with transparency and communication of risks to end-users being paramount.
When making security-specific changes to legacy devices, manufacturers must undertake the full security process, including comprehensive documentation, testing, and effort to ensure device security.
Replacement of all legacy devices is often not feasible due to the significant cost, logistical challenges, and training requirements for healthcare delivery organizations.
Hi, welcome back to The Med Device Cyber Podcast. Today, we are talking about medical legacy devices, MedTech legacy devices, and some of the challenges with securing them from a cybersecurity perspective. We will also discuss what some of the regulatory bodies, such as the FDA, think about legacy devices and how you can come up with a strategy to help mitigate some of the risk associated from a regulatory perspective, as well as a cybersecurity perspective. I am your host, Christian Espinosa, and I am here with our co-host Trevor Slatter. He is joining us from his tiny apartment in San Francisco, because for some reason he decided to move to California.
How is it going today, Trevor? Well, it is going great, and let me tell you why I decided to move to California. I just got off the Rubicon this weekend. I had a blast out there in the desert in the rocks. I was going out fishing, going out on the Jeeps, and it was only a two-hour drive from here. We have plenty of desert and rocks here in Arizona, but you do not have the most famous off-roading trail of all time. Is that why they named the Jeep that one version, called the Rubicon? Yeah. Now, the Rubicon was an old trading route from Reno to Sacramento, way, way, way, way back hundreds of years ago.
Then, everyone got super into bashing Jeeps against the rocks in it. It took us six and a half hours to go five and a half miles on it. That is the kind of pace that we are making on that trail. Was that on your Jeep or did you rent a Jeep? No, that was on my buddy’s Jeep. He has got a super customized Wrangler. My little traffic cone suburban Jeep is not getting up there. I did not think so. Awesome. So, what should medical device manufacturers know about these legacy devices from a regulatory and a cybersecurity perspective?
Well, there are a couple of big things going on with some shifts that we are seeing in how the FDA and the regulators are handling legacy devices. What really needs to go into that? One great thing that happened pretty recently is some changes to the FDA’s guidance on cybersecurity, as well as changes into what is accepted as part of EAR. We will dive into all of those specific changes in a bit here, but I will step back a little bit and talk about the legacy device problem.
Legacy devices are essentially considered anything that was cleared or just cleared—not approved—under previous guidance before September of 2023. This means that modern cybersecurity controls and guardrails have not been put into the device. There is an issue with these devices: they have already been cleared, they are on the market, and they are in hundreds or thousands of hospitals. We cannot just say we have to clean all these up and try to fit them to new cybersecurity standards. Some of them might not even be capable of it. So, what do we do to fix this problem?
The FDA is looking at some pathways to try to bridge these devices closer and closer to modern requirements without needing to effectively redesign and start over. So, that is kind of the background on where we are coming into with the problem. Then, it is going to be a little bit implementation specific for the solution, but in general, it is just figuring out how can we make old devices a little bit more safe and a little bit more secure, since they are not always up to code with the modern standards. Yeah. And a lot of people think,