Blue Goat CyberBlue Goat CyberSMMedical Device Cybersecurity
    K
    Blog · Primer

    Two Medical Device Cybersecurity Gaps: Dispersed Responsibility and a Scarcity of Asset Inventory

    Two major medical device cybersecurity gaps - dispersed responsibility & missing asset inventories - fuel legacy and secondary-market risk. Learn how to close them.

    Hero illustration for the Primer article: Two Medical Device Cybersecurity Gaps: Dispersed Responsibility and a Scarcity of Asset Inventory
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Trevor Slattery, COO at Blue Goat Cyber

    Reviewed by Trevor Slattery

    COO · Blue Goat Cyber

    Published: November 30, 2025 · Last reviewed: May 1, 2026

    medical device cybersecurity

    The medical device cybersecurity landscape has many challenges that create more risk and concern. Food and Drug Administration (FDA) regulators have been working to close it, updating guidelines again in June. “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” establishes more rules but doesn’t address what many experts say are the biggest gaps: dispersed responsibility and scarcity of asset inventory.

    These issues specifically apply to devices that are resold or refurbished on the secondary market. In this environment, it’s still very much the Wild West. So, what could the industry do to manage these things more effectively so that risk dissipates instead of rising?

    Medical Devices Don’t Have a Process for Identifying and Reporting Flaws on Legacy Systems

    Currently, an established process for identifying and reporting issues with legacy devices doesn’t exist. The reason why has much do with the fact that the device’s whereabouts are unknown.

    If something occurs with a device that’s in use, which was approved years before the sweeping changes from the FDA to include a software bill of materials (SBOM) or a patching workflow, there’s nothing to do. The information about the vulnerability or problem doesn’t make it to the manufacturer, regulators, or other stakeholders.

    It is also a misconception that if a manufacturer finds a vulnerability in a device, they immediately notify all users of it. This would be impossible for the second-hand market because there’s no asset inventory list.

    Is Creating Asset Inventory Listings Even Possible?

    The solution would be to build one, but that would require a lot of groups to work together, which are currently fragmented. A sector-mapping system could deliver vulnerability information to those who actually use the devices.

    Such a system would be a task force of sorts, involving:

    • Identification of vulnerability or hacks
    • Determining owners and operators
    • Immediate remediation

    The lack of an asset inventory initiative isn’t uncommon in critical infrastructure. A regulatory rule is in place for the Cybersecurity and Infrastructure Security Agency (CISA) to issue subpoenas to internet service providers (ISPs) to identify owners of vulnerable IT assets. However, it’s been used very sparingly.

    Without defined guidance or parameters, the asset inventory issue looms for those devices in the secondary market. The equipment still has useful life left, so complete decommissioning isn’t prudent. It would also likely inflate costs, which would deter investment in medical devices from healthcare systems.

    It also feeds into the other issue of dispersed responsibility.

    Dispersed Responsibility in Medical Device Cybersecurity

    Dispersed responsibility characterizes the challenge of security not being owned by a single entity. It’s a shared burden across all parties - manufacturers, healthcare providers, regulatory agencies, and patients.

    While postmarket medical device cybersecurity is a shared responsibility, this model creates considerable gaps, including:

    • Security posture weaknesses, leaving systems more susceptible to cyberattacks
    • Inconsistency in managing vulnerabilities because there’s no centralized process
    • Lack of transparency
    • Insufficient communication across stakeholders
    • Patient safety risk

    There’s no one answer to dispersed responsibility, and it’s not really changeable because everyone has to cooperate and collaborate. The FDA guidance does firm up these relationships going forward, but it doesn’t look back.

    If the industry is actually going to improve the issues with legacy systems, it must develop best practices for their management as a whole and ensure everyone is accountable for their part. This may need to happen outside of the regulatory framework, as the FDA is increasingly overburdened and short-staffed.

    Traceability of the devices is integral to managing emerging threats and risks. It behooves all stakeholders to work together on this to strengthen patient safety and ensure the continued use of a device in its second life.

    Do you have questions about medical device cybersecurity gaps? We can help. Contact us today to get started.

    Sources & references

    Primary sources cited in this article. Links open in a new tab.

    1. Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions— U.S. FDA
    Related articles

    Keep reading

    Related services

    Put this into practice on your device

    Every Blue Goat Cyber engagement maps directly to FDA Section 524B and the SPDF - so the evidence you need lands in your submission, not in a separate report.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.