Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    Blog · Lifecycle

    Navigating Cybersecurity Challenges for MedTech Legacy

    Learn how MedTech manufacturers can manage cybersecurity risks in legacy devices under evolving FDA guidance and secure-by-design principles.

    Hero illustration for the Lifecycle article: Navigating Cybersecurity Challenges for MedTech Legacy
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Published: November 5, 2025 · Last reviewed: May 1, 2026

    Direct answer

    Manufacturers must address cybersecurity challenges in legacy medical devices, defined as those cleared before Section 524B took effect on March 29, 2023, by understanding the FDA's distinction between controlled and uncontrolled risk. The FDA's reduced burden pathway allows streamlined updates for devices not directly impacting cybersecurity, requiring an uncontrolled risk assessment, a postmarket management plan, and a Software Bill of Materials (SBOM). Proactive measures like penetration testing, postmarket monitoring, and collaboration are essential for maintaining device security and patient safety.

    The medical device industry is not standing still, and neither are the threats targeting it. Manufacturers carrying legacy products face a real problem: devices cleared under older regulatory guidelines often lack the security architecture modern standards demand. This post looks at the FDA's current guidance on legacy MedTech cybersecurity, the practical steps manufacturers can take to reduce risk, and why treating security as a continuous lifecycle activity is the only approach that holds up long-term.

    Key Takeaways

    • Legacy medical devices pose unique cybersecurity challenges.
    • The FDA distinguishes between controlled and uncontrolled risk.
    • A reduced burden pathway facilitates legacy device updates.
    • Postmarket management and SBOMs are crucial requirements.
    • Penetration testing identifies vulnerabilities effectively.
    • Collaboration ensures ongoing security and compliance.

    Table of Contents

    Why this matters

    The FDA's Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions (Feb 3, 2026 final guidance) made cybersecurity documentation a gating criterion for clearance under Section 524B of the FD&C Act. Reviewers now apply this guidance to cybersecurity challenges for MedTech legacy devices the same way they apply software lifecycle expectations from IEC 62304 and security risk-management expectations from AAMI TIR57 and ANSI/AAMI SW96:2023.

    Gaps in this area are the single most common driver of first-cycle cybersecurity Additional Information (AI) requests. The FDA's FY2024 CDRH performance reports show cybersecurity is among the top deficiency categories cited in 510(k) and PMA AI letters, behind only software documentation and clinical evidence. Treating it as a checklist exercise rather than a design-controlled engineering artifact is what creates the gap.

    The Legacy Device Dilemma

    Legacy medical devices, defined as those cleared and approved before Section 524B took effect on March 29, 2023, pose a significant challenge for manufacturers. These older products were designed and approved under previous regulatory guidelines, often without the security controls modern standards require. As new threats emerge, the security gaps in legacy devices become increasingly consequential for patient safety and data privacy.

    One core problem is that legacy hardware often can't support current encryption standards. As Christian Espinosa, CEO of Blue Goat Cyber, explains, "If we look at a device that was cleared, let's say 20 years ago, using encryption that was back then, that's most likely going to be considered wildly insecure now. But the hardware that that device is on probably does not even support modern encryption."

    Swapping out all legacy devices for newer models sounds clean in theory. In practice, it rarely works. As Trevor Slattery, Chief Technology Officer and Director of MedTech Cybersecurity at Blue Goat Cyber, points out, "A lot of people think, 'Well, let's just replace all those devices with newer ones.' But that's a larger problem than most people realize because it's not just a replace and just assume everything's going to be fine. You also have to train all the staff on how to use a new device. There's a big learning curve. A lot of healthcare delivery organizations don't want to pay for new devices."

    Since full replacement usually isn't feasible, manufacturers and healthcare delivery organizations (HDOs) need practical, risk-based alternatives. That's exactly where the FDA's guidance on legacy device management becomes useful.

    The FDA's Shifting Approach to Legacy Devices

    The FDA has recognized the challenges legacy devices create and has built more flexible pathways for manufacturers trying to address cybersecurity gaps. The central shift is a formal distinction between "controlled" and "uncontrolled" risk.

    Controlled vs. Uncontrolled Risk

    According to Espinosa and Slattery, the FDA is now looking at the potential impact of a vulnerability, not just its existence. Uncontrolled risk means a security issue could directly threaten patient safety, such as a pacemaker vulnerability that could produce life-threatening consequences. Controlled risk describes situations where a flaw exists but the potential patient harm is low and bounded, such as an oxygen pump freezing for a few minutes.

    The FDA is encouraging manufacturers to categorize their legacy device risks and focus remediation where it matters most, rather than demanding a full security overhaul of every product.

    The Reduced Burden Pathway

    Building on that framework, the FDA introduced a "reduced burden pathway" for legacy device updates. As Slattery explains, "The FDA is now saying, 'Okay, we get it. Some of these legacy products, you need to make other changes. If you're doing that, here's what we see as a good effort for cyber security.'"

    Under this pathway, manufacturers making changes to legacy devices that don't directly affect cybersecurity posture can follow a streamlined process. That process requires:

    • Conducting an uncontrolled risk assessment to identify and address significant security vulnerabilities
    • Developing a postmarket management plan for ongoing security monitoring and maintenance
    • Providing a software bill of materials (SBOM) to increase transparency into the device's software components

    The goal is to let manufacturers make necessary updates without forcing a complete security redesign that could push valuable products off the market.

    Practical Steps for Securing Legacy Devices

    The FDA's guidance sets the framework. Manufacturers still have to do the actual work. Here are the strategies that deliver the most value.

    Penetration Testing and Risk Assessment

    Understanding the real risk profile of a legacy device requires hands-on testing. Regular penetration testing and risk assessments reveal which vulnerabilities are actually exploitable and which ones exist in theory but pose minimal real-world risk.

    Slattery notes, "If you're aware of the risk with your device, you can communicate that to whoever's using your device and come up with some mitigating controls as well. Like, if your device has some network vulnerabilities, then you could recommend that as a way to mitigate that, it's put behind a firewall at the at the hospital, for instance, or put on an isolated segment."

    Postmarket Monitoring and Management

    See also: Cybersecurity Risks of Legacy Medical Devices in Hospitals, Medical Device Cybersecurity: A Complete Lifecycle Guide, and Securing the Total Product Lifecycle.

    The FDA's guidance requires a postmarket management plan, and for good reason. A device in the field operates in conditions no one fully anticipated at design time. Ongoing monitoring, vulnerability tracking, and timely updates are what catch problems before they become incidents.

    As Espinosa explains, "The postmarket management strategy for a medical device is not saying these are all of the controls that we built into a product to ensure that it's hardened against attack. It's saying this is what we're doing to keep an eye on things once it's in the field. Here's how often and what type of testing we're doing on the product. Here's what different feeds and resources we're monitoring to be aware in case of a problem."

    Software Bill of Materials (SBOM)

    An SBOM is a detailed inventory of every software component and dependency in a device. For legacy products, it's often the first time anyone has documented this clearly. That documentation makes it possible to track CVEs against specific components and respond quickly when a new vulnerability is disclosed.

    As Slattery notes, "If you aren't doing these types of activities, you're never going to figure out what's wrong. And a bad guy can figure out, a criminal hacker can find the vulnerability first if they're actively researching this security of this device and your team is not. And that's obviously the worst case scenario is for criminals to understand how to attack this device without anyone else being able to figure that out first."

    Collaboration and Transparency

    Securing legacy devices isn't something any single organization can do alone. Manufacturers, healthcare providers, and regulatory bodies need to share information openly and act on it together. That means coordinated vulnerability disclosure processes, clear communication about known risks, and joint development of compensating controls.

    Espinosa puts it directly: "Waiting until it becomes an enforceable problem. So, try to get ahead of these things. the FDA, it's clear the path they're going and they're trying to give some easy options to getting things right now before things get more complicated."

    A Holistic Approach to Cybersecurity

    Securing legacy devices is a continuous process, not a project with a completion date. Manufacturers need to build security into every stage of the product lifecycle, from initial design through eventual decommissioning.

    As Espinosa and Slattery put it, "from design to disposal" should be the guiding principle for medical device cybersecurity. Every stage matters: product conception, development, premarket submission, field deployment, and final disposal. Security decisions made early are cheaper and more effective than patches applied under pressure later.

    By maintaining that discipline, manufacturers protect their legacy products and position their newer devices to meet FDA expectations from day one.

    Conclusion

    Securing legacy medical devices is complex but tractable. The FDA's guidance gives manufacturers a workable road: understand the controlled vs. uncontrolled risk distinction, use the reduced burden pathway where it applies, and execute the required security activities with engineering rigor. The organizations that get this right are the ones treating security as a design-controlled artifact, not a submission formality.

    Working closely with healthcare providers, regulatory bodies, and cybersecurity specialists is what makes that possible at scale. To learn more about securing your medical devices and partnering with Blue Goat Cyber, schedule a Discovery Session with us.

    How Blue Goat approaches this

    Blue Goat Cyber's medical device practice is led by engineers with CISSP, OSCP, and prior military red-team backgrounds. We treat cybersecurity documentation as design-controlled engineering output, not a submission template, every artifact (threat model, SBOM, security risk assessment, penetration test, labeling) traces back to a controlled requirement and a verified result.

    Our engagements deliver the full Feb 3, 2026 guidance documentation set scoped to the device's risk profile, integrated with the existing IEC 62304 software lifecycle and ISO 14971 risk file. See our medical device cybersecurity services for the full scope. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost.

    FAQ

    What is a legacy medical device?

    A legacy medical device is a medical device that was cleared or approved by the FDA before Section 524B of the FD&C Act took effect on March 29, 2023. These devices often lack the cybersecurity controls expected in modern medical technology.

    What is the FDA's stance on legacy device cybersecurity?

    The FDA recognizes the challenges of legacy devices and provides guidance emphasizing risk assessment (controlled vs. Uncontrolled risk) and offers a reduced burden pathway for cybersecurity updates to facilitate necessary changes without requiring a complete overhaul.

    What is the reduced burden pathway for legacy devices?

    The reduced burden pathway is an FDA initiative allowing manufacturers to make non-cybersecurity-related changes to legacy devices with a streamlined process. It requires an uncontrolled risk assessment, a postmarket management plan, and a Software Bill of Materials (SBOM).

    Why is a Software Bill of Materials (SBOM) important for legacy devices?

    An SBOM increases transparency by listing all software components and dependencies within a device. For legacy devices, it helps manufacturers understand and manage associated security risks, aiding vulnerability identification and mitigation.

    How can manufacturers identify cybersecurity risks in legacy devices?

    Manufacturers can identify cybersecurity risks through regular penetration testing and complete risk assessments. These activities help pinpoint vulnerabilities and inform targeted mitigation strategies for legacy devices.

    Does the FDA require ongoing monitoring for legacy devices?

    Yes, the FDA's February 3, 2026 final guidance emphasizes complete postmarket management for all medical devices, including legacy products. This includes ongoing security monitoring, vulnerability tracking, and proactive updates based on identified issues.

    Related 524B & eSTAR resources

    Keep going: the 524B and eSTAR working set

    Start with the walkthrough hub, then drill into the statute, the eSTAR field map, SBOM monitoring, postmarket planning, and deficiency response. Use these as the playbook behind every cyber device submission.

    Hub
    FDA Section 524B & eSTAR Cybersecurity Walkthrough

    Start here: the hub that ties the statute, the February 2026 guidance, and the eSTAR fields together in the order a submission team works through them.

    Related services

    Put this into practice on your device

    Every Blue Goat Cyber engagement maps directly to FDA Section 524B and the SPDF - so the evidence you need lands in your submission, not in a separate report.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.