Listen now
Key takeaways
- The FDA defines legacy medical devices as those cleared under previous cybersecurity guidelines before September 2023, which often lack modern security controls and present significant management challenges.
- The FDA is transitioning to a risk-based approach for legacy devices, differentiating between "uncontrolled risk" (unacceptable due to potential patient harm) and "controlled risk" (acceptable due to minimal impact on patient safety).
- Manufacturers making non-security-related changes to legacy devices may follow a reduced documentation pathway, provided they submit a risk assessment, a Software Bill of Materials (SBOM), and a post-market management plan.
- Security-related changes to a legacy device, such as altering a communication protocol, will likely trigger the FDA's full, modern cybersecurity submission requirements, necessitating a redesign.
- A proactive, total-product-lifecycle approach to cybersecurity is essential, extending from initial device design through to disposal, which includes ongoing post-market surveillance.
- Manufacturers should conduct proactive security testing, such as penetration testing, to identify vulnerabilities in legacy products, and use this information to inform actionable mitigation strategies.
- Effective communication of identified risks to healthcare organizations is crucial, empowering them to implement compensating controls like network segmentation or firewalls to enhance patient safety.
What options do MedTech manufacturers have to bring older devices up to modern cybersecurity standards? Also, how does the FDA’s latest guidance change the process for updating legacy devices?
In this episode, Christian and Trevor break down the evolving challenges of managing cybersecurity for MedTech legacy devices. They explain how the FDA’s recent guidance updates create new pathways for handling older devices without requiring full redesigns. Together, they explore practical steps manufacturers can take - like penetration testing and postmarket monitoring - to stay compliant and proactive about security risks.
Key points:
(02:13) How the FDA defines legacy devices and why updates to older equipment pose unique challenges.
(03:47) Why simply replacing old devices isn’t realistic for many healthcare organizations.
(05:00) How encryption standards evolve and why older devices often can’t meet modern security expectations.
(06:25) The FDA’s distinction between controlled and uncontrolled risk.
(09:02) The FDA’s reduced burden pathway for legacy devices.
(11:07) Best practices for postmarket management plans.
Notable quotes
“Legacy devices are essentially considered anything that was cleared or just cleared—not approved—under previous guidance before September of 2023. This means that modern cybersecurity controls and guardrails have not been put into the device.”
“The FDA is looking at some pathways to try to bridge these devices closer and closer to modern requirements without needing to effectively redesign and start over.”
“Awareness of vulnerabilities must be made actionable by communicating risks to healthcare providers, enabling them to implement compensating controls like network segmentation.”
Frequently asked questions
Bring this work to your device
Need help with fda postmarket cybersecurity?
Blue Goat Cyber delivers fda postmarket cybersecurity services for medical device manufacturers - from threat modeling to FDA-ready reports.
FDA Postmarket Cybersecurity ServicesMore on FDA Postmarket Cybersecurity
Keep listening
-
Episode 52
Medical Device Cyber Failures Become Fatal
-
Episode 49
How Cybersecurity Shapes Regulatory and Quality Success with Jim Goodmiller
With Jim Goodmiller
-
Episode 39
Medical Device Startups and Cybersecurity Challenges with Suzy Engwall
With Suzy Engwall
-
Episode 38
Top 10 Medical Device Vulnerabilities with Myles Kellerman
With Myles Kellerman