Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO
Published November 2025 · Last reviewed May 2026
The Med Device Cyber Podcast · November 30, 2025 This episode of The Med Device Cyber Podcast delves into the complex challenges of securing MedTech legacy devices, offering crucial insights for product security teams, regulatory leads, and engineers. The hosts discuss the FDA's evolving guidance on cybersecurity for devices cleared before September 2023, emphasizing that these older products often lack modern cybersecurity controls and cannot simply be upgraded. A key focus is on the distinction between "controlled" and "uncontrolled" risk, with the FDA encouraging manufacturers to meticulously define and assess these risks in relation to patient safety and data. The conversation highlights the impracticality of replacing all legacy devices due to significant training and financial hurdles for healthcare delivery organizations. The episode explores reduced burden pathways for legacy devices, particularly when making non-cybersecurity-related changes, suggesting that a Software Bill of Materials (SBOM) and a robust postmarket management plan are essential. This plan should include periodic security testing, vulnerability monitoring, and transparent communication of risks to users. The importance of a total product lifecycle approach to cybersecurity - from design to disposal - is stressed, providing manufacturers with actionable strategies to enhance the security posture of their legacy devices. The episode critically examines when to apply the full security process versus leveraging new FDA options to manage cybersecurity risks effectively.
Key Takeaways
- The FDA is shifting its guidance on legacy medical devices cleared before September 2023, acknowledging that many cannot be upgraded to modern cybersecurity standards.
- Manufacturers must differentiate between "controlled" and "uncontrolled" risks, explicitly defining situations that pose significant threats to patient safety or data versus minor issues.
- For legacy devices undergoing non-cybersecurity changes, the FDA offers reduced burden pathways, emphasizing a Software Bill of Materials (SBOM) and comprehensive postmarket management plans.
- Postmarket management plans are critical for legacy devices and should include continuous monitoring, periodic security testing (like penetration testing), and tracking of known exploited vulnerabilities identified through SBOMs.
- A total product life cycle approach to cybersecurity, from initial design to device disposal, is essential for mitigating risks, with transparency and communication of risks to end-users being paramount.
- When making security-specific changes to legacy devices, manufacturers must undertake the full security process, including comprehensive documentation, testing, and effort to ensure device security.
- Replacement of all legacy devices is often not feasible due to the significant cost, logistical challenges, and training requirements for healthcare delivery organizations.
Listen on mdcpodcast.com · Watch on YouTube
Listen to this episode
Want help applying this to your own device program?
Blue Goat Cyber is a specialist medical device cybersecurity firm: 250+ FDA submissions, zero rejections. If anything in this conversation hit close to home, book a 30-minute strategy session - no cost, no obligation.