Playbook · Legacy & Remediation

The Legacy Medical Device Cybersecurity Playbook

How to bring fielded legacy and end-of-support medical devices up to current FDA expectations without a full re-architecture - compensating controls, remediation tiers, and customer communications.

All playbooks

Updated May 2026 7 pages 16-min read Download PDF

Why this matters

Most fielded medical devices were not designed to meet the FDA's 2026 cybersecurity expectations. Pulling them all from the field is unrealistic; ignoring them is a regulatory and patient-safety risk. The middle path - structured remediation with compensating controls and honest customer communications - is what the FDA, hospitals, and patients expect.

Key takeaway: 'Legacy' is not a defense. The FDA expects manufacturers to actively manage cybersecurity risk for fielded devices throughout the total product lifecycle, regardless of when they were cleared.

Step 1 - Inventory and risk-rank your fielded fleet

Catalog every cleared SKU still in clinical use, with software/firmware versions
Map known CVEs against an SBOM (build one retroactively if needed)
Score each model: connectivity, patient-safety impact, install base, patchability
Group into tiers: Tier 1 (active patch), Tier 2 (mitigate), Tier 3 (EOL plan)

Step 2 - Compensating controls when you can't patch

Network segmentation guidance for hospital biomed teams
Disable unused services and ports in field configuration
Strengthen authentication where the device supports it
Add monitoring/alerting at the network layer (IDS signatures, syslog forwarding)
Document each control's effectiveness against the specific threat

Step 3 - Customer communications that build trust

Proactive advisory when a CVE materially affects fielded devices
Plain-language clinical impact statement (not just CVSS)
Concrete mitigation steps the hospital biomed team can apply today
Patch ETA or honest 'no patch planned - here's why and what to do'
Updated MDS2 form with current security posture

Step 4 - The EOL / EOS decision framework

Define End-of-Support criteria (age, exploit landscape, replacement availability)
Minimum 12-month customer notice with documented support sunset
Provide migration path to current-generation device
Document residual risk acceptance for customers who continue use

What's in the full PDF

Legacy device risk-assessment template (10 columns)
Compensating control catalog mapped to STRIDE categories
EOL communication template - letter + biomed bulletin
Tiered remediation roadmap with example timelines
What FDA reviewers expect to see in a postmarket report on legacy devices

Want the full 7-page playbook?

Includes every checklist, table, and template - formatted for printing and sharing.

Download PDF

What's inside

Legacy device risk assessment template
Tiered remediation: monitor / mitigate / patch / replace
Compensating control catalog by threat
End-of-support communication template
What FDA expects when you can't fully patch

Get the next playbook

Subscribe to The Monthly Pulse for new playbooks, FDA updates, and field notes.

Other playbooks

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.

Book strategy session Explore services