Two Medical Device Cybersecurity Gaps

The medical device cybersecurity landscape has many challenges that create more risk and concern. Food and Drug Administration (FDA) regulators have been working to close it, updating guidelines again in June. “ Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” establishes more rules but doesn’t address what many experts say are the biggest gaps: dispersed responsibility and scarcity of asset inventory.

These issues specifically apply to devices that are resold or refurbished on the secondary market. In this environment, it’s still very much the Wild West. So, what could the industry do to manage these things more effectively so that risk dissipates instead of rising?

Key Takeaways

• Dispersed responsibility hinders clear accountability for device security.
• Lack of asset inventory prevents tracking and vulnerability disclosure.
• Legacy medical devices are especially vulnerable due to these gaps.
• Current FDA guidance primarily addresses new devices, not legacy systems.
• Effective cybersecurity requires collaboration and shared accountability.
• Traceability is essential for managing risks in medical device lifecycles.

Table of Contents

• Key Takeaways
• Medical Devices Don’t Have a Process for Identifying and Reporting Flaws on Legacy Systems
• Is Creating Asset Inventory Listings Even Possible?
• Dispersed Responsibility in Medical Device Cybersecurity

Why this matters

The stakes are high when medical device cybersecurity gaps lead to patient harm. Dispersed responsibility and a scarcity of asset inventory create significant vulnerabilities, particularly for devices on the secondary market. When accountability is fragmented, critical security updates or vulnerability disclosures may not reach relevant parties, leaving devices susceptible to attack. The FDA's 'Cybersecurity in Medical Devices' Final Guidance, dated February 3, 2026, emphasizes the need for a total product lifecycle approach to cybersecurity.

Without a clear asset inventory, tracking devices, especially those refurbished or resold, becomes impossible for manufacturers and healthcare organizations. This hinders compliance with standards like IEC 81001-5-1 and AAMI TIR57, which require effective vulnerability management and risk assessment throughout a device's operational life. The inability to identify where a device is located or who operates it means that critical patches, security advisories, or recalls cannot be efficiently disseminated, directly impacting patient safety and exposing healthcare providers to operational and legal risks.

Medical Devices Don’t Have a Process for Identifying and Reporting Flaws on Legacy Systems

Currently, an established process for identifying and reporting issues with legacy devices doesn’t exist. The reason why has much do with the fact that the device’s whereabouts are unknown.

If something occurs with a device that’s in use, which was approved years before the sweeping changes from the FDA to include a software bill of materials (SBOM) or a patching workflow, there’s nothing to do. The information about the vulnerability or problem doesn’t make it to the manufacturer, regulators, or other stakeholders.

It is also a misconception that if a manufacturer finds a vulnerability in a device, they immediately notify all users of it. This would be impossible for the second-hand market because there’s no asset inventory list.

Is Creating Asset Inventory Listings Even Possible?

The solution would be to build one, but that would require a lot of groups to work together, which are currently fragmented. A sector-mapping system could deliver vulnerability information to those who actually use the devices.

Such a system would be a task force of sorts, involving:

• Identification of vulnerability or hacks
• Determining owners and operators
• Immediate remediation

The lack of an asset inventory initiative isn’t uncommon in critical infrastructure. A regulatory rule is in place for the Cybersecurity and Infrastructure Security Agency (CISA) to issue subpoenas to internet service providers (ISPs) to identify owners of vulnerable IT assets. However, it’s been used very sparingly.

Without defined guidance or parameters, the asset inventory issue looms for those devices in the secondary market. The equipment still has useful life left, so complete decommissioning isn’t prudent. It would also likely inflate costs, which would deter investment in medical devices from healthcare systems.

It also feeds into the other issue of dispersed responsibility.

Dispersed Responsibility in Medical Device Cybersecurity

See also: Why Medical Device Cybersecurity Is Nothing Like Enterprise, How Can Medical Device Manufacturers Support Operational, and Navigating the Cybersecurity Landscape for MedTech.

Dispersed responsibility characterizes the challenge of security not being owned by a single entity. It’s a shared burden across all parties-manufacturers, healthcare providers, regulatory agencies, and patients.

While postmarket medical device cybersecurity is a shared responsibility, this model creates considerable gaps, including:

• Security posture weaknesses, leaving systems more susceptible to cyberattacks
• Inconsistency in managing vulnerabilities because there’s no centralized process
• Lack of transparency
• Insufficient communication across stakeholders
• Patient safety risk

There’s no one answer to dispersed responsibility, and it’s not really changeable because everyone has to cooperate and collaborate. The FDA guidance does firm up these relationships going forward, but it doesn’t look back.

If the industry is actually going to improve the issues with legacy systems, it must develop best practices for their management as a whole and ensure everyone is accountable for their part. This may need to happen outside of the regulatory framework, as the FDA is increasingly overburdened and short-staffed.

Traceability of the devices is integral to managing emerging threats and risks. It behooves all stakeholders to work together on this to strengthen patient safety and ensure the continued use of a device in its second life.

Do you have questions about medical device cybersecurity gaps? We can help. Contact us today to get started.

How Blue Goat approaches this

Blue Goat Cyber addresses medical device cybersecurity gaps by clarifying responsibility and improving asset visibility. Our methodology centers on detailed asset discovery and lifecycle management, providing organizations with accurate inventories essential for effective vulnerability management. We help establish clear frameworks for accountability across the complex ecosystem of medical device stakeholders.

Our team, comprising certified professionals (CISSP, OSCP) and former military red team members, specializes in navigating the intricacies of medical device security. We assist manufacturers in meeting pre-market and post-market requirements, including those outlined in the FDA's 'Cybersecurity in Medical Devices' Final Guidance. We offer specialized services in areas like threat modeling and vulnerability assessment. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. Learn more about our offerings at FDA Premarket Cybersecurity Services.

FAQ

What is dispersed responsibility in medical device cybersecurity?

Dispersed responsibility refers to the challenge where security ownership is distributed among multiple parties, including manufacturers, healthcare providers, and regulators. This often leads to fragmented efforts, inconsistent security postures, and communication gaps regarding medical device vulnerabilities.

How does a lack of asset inventory impact medical device security?

A scarcity of asset inventory means that the location and operational status of medical devices, especially those on the secondary market are unknown. This prevents manufacturers from notifying users about vulnerabilities or applying patches, severely hindering effective risk management and remediation.

Does the FDA address these cybersecurity gaps?

The FDA's February 3, 2026 final guidance, "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions," establishes requirements for new device submissions. However, it does not fully address the unique challenges of dispersed responsibility and asset inventory for legacy devices already in the field or on the secondary market.

Why are legacy devices more vulnerable to these gaps?

Legacy devices often predate modern cybersecurity regulations, such as requirements for a software bill of materials (SBOM) or structured patching workflows. Without an established process for tracking their whereabouts or responsible party information, reporting and remediating vulnerabilities become nearly impossible for these older systems.

What are the consequences of these cybersecurity gaps?

These gaps can lead to significant patient safety risks, increased susceptibility to cyberattacks due to unaddressed vulnerabilities, and a lack of transparency among stakeholders. They also complicate efforts to maintain the security posture of medical devices throughout their entire lifecycle.

How can the industry improve medical device cybersecurity for legacy systems?

Improving cybersecurity for legacy systems requires collaborative initiatives among all stakeholders to establish asset inventory systems and foster shared accountability. Developing industry-wide best practices for managing older devices and enhancing traceability are critical steps outside of formal regulatory frameworks.

About the author

Christian Espinosa, CISSP, Founder, Blue Goat Cyber. Christian leads a team focused exclusively on medical device cybersecurity for FDA premarket submissions and postmarket compliance. Read more about Christian.