Skip to main content Scroll Top

Legacy Medical Devices and Cybersecurity

legacy-medical-devices-cybersecurity
May 1, 2026

Legacy Medical Device Cybersecurity: Why Doing Nothing Is No Longer an Option

Medical devices weren’t built to last 20+ years, but many do. Infusion pumps, imaging systems, patient monitors—equipment that hospitals rely on daily—can remain in clinical use for decades.

When these devices were designed, cybersecurity wasn’t even a consideration. They run outdated operating systems that can’t be updated, use insecure communication protocols, and lack basic security features that are now the norm for medical devices that would like to remain on the market.

For years, this wasn’t a problem. Legacy devices operated in isolated environments, disconnected from networks and the internet. But healthcare has changed.

Hospitals now rely on connected devices for electronic health record management, remote monitoring, and data integration. The same legacy equipment that was safe in isolation has become a cybersecurity liability.

Medical Device Cybersecurity Standards Are Here

The regulatory landscape has fundamentally shifted. Section 524B of the Federal Food, Drug, and Cosmetic Act now grants the FDA authority to establish and enforce cybersecurity requirements specifically for “cyber devices”—medical devices that include software, can connect to the internet, and are vulnerable to cyber threats.

At the same time, IEC 81001-5-1 represents one of the most significant medical device cybersecurity standards to emerge in recent years. Tailored specifically for medical devices and health IT software, it’s already mandated in Japan and is gaining rapid traction in Europe and North America.

The FDA strongly recommends compliance to supplement existing cybersecurity guidance (IEC 81001-5-1 is an FDA consensus standard) and has signaled its intention to require manufacturers to integrate cybersecurity into regulatory submissions.

Here’s what this means: cybersecurity is no longer optional.

FDA Medical Device Cybersecurity Requirements Under Section 524B

Understanding FDA medical device cybersecurity requirements is now critical for manufacturers. Section 524B grants the FDA authority to establish and enforce cybersecurity requirements for cyber devices. Manufacturers submitting premarket applications must demonstrate:

  1. A postmarket vulnerability management plan: How they’ll monitor for, identify, and address cybersecurity vulnerabilities and exploits promptly.
  2. Secure development processes: Implementation of security throughout the entire product lifecycle.
  3. A Software Bill of Materials (SBOM): Complete transparency about commercial, open-source, and off-the-shelf software components.

But here’s the challenge for manufacturers still supporting legacy devices: The FDA’s cybersecurity guidance provides limited direction on how to bring legacy devices into compliance when modifications trigger Section 524B requirements.

The Reality of Legacy Device Compliance

Legacy medical device cybersecurity presents a seemingly impossible dilemma. These devices often run outdated operating systems, can’t be easily patched due to regulatory constraints, and may use insecure protocols—but they’re critical to patient care and represent massive capital investments that healthcare organizations can’t simply discard.

The Regulatory Pressure Is Intensifying

Section 524B requirements apply to all premarket submissions—including 510(k), PMA, De Novo, and HDE applications—for devices that meet the definition of a “cyber device.” This includes special and abbreviated 510(k)s as well as PMA and HDE supplements.

The law doesn’t apply retroactively to devices authorized before March 29, 2023. However, if a manufacturer makes changes to a previously authorized cyber device that require premarket review, Section 524B requirements apply to that new submission. This means software updates, supplier changes, or new components may trigger compliance requirements, pulling legacy devices into Section 524B territory.

This creates a complex situation. Even devices that avoid Section 524B requirements still face obligations under quality system regulations and risk management expectations. Healthcare delivery organizations, meanwhile, must manage the risks of using unsupported devices through network segmentation, compensating controls, or eventual replacement.

The Path Forward: Remediation or Retirement?

Companies face two primary options for addressing legacy medical device cybersecurity:

  • Option 1: Remediation and Compliance
    Bring legacy devices up to current FDA cybersecurity standards and IEC 81001-5-1 requirements through system upgrades, process improvements, and ongoing monitoring.
  • Option 2: Planned Retirement
    Evaluate the total cost of compliance versus replacement, develop a retirement strategy, and transition to newer, inherently more secure devices.

Most organizations will likely pursue a hybrid approach—remediating devices where financially and technically feasible, while developing retirement timelines for devices where compliance costs exceed replacement costs.

IEC 81001 Cybersecurity: A Framework for Compliance

IEC 81001-5-1 is a cybersecurity standard specifically developed for medical devices and health IT software. Released in 2021, it’s already mandatory in Japan and gaining traction in Europe and North America as regulators seek clear frameworks for medical device security.

The FDA has indicated strong support for this standard and encourages manufacturers to incorporate it into their development processes. For companies with legacy devices, understanding how this standard applies—or doesn’t apply—to older equipment is becoming increasingly important as regulatory expectations evolve.

For systems released prior to publication of IEC 81001-5-1, Annex F provides instructions for how medical device manufacturers can bridge the gaps between their current system documentation and what is expected from a security standpoint. Understanding these activities can help manufacturers make the risk-driven decision to either Remediate or Retire their legacy systems.

Building Your Legacy Device Compliance Strategy

Navigating cybersecurity compliance for medical devices requires deep expertise in both regulatory requirements and technical implementation. Organizations need support in:

  • Compliance gap analysis: Assessing current devices against FDA Section 524B and IEC 81001-5-1 requirements.
  • Remediation strategy development: Creating technically and financially viable paths to compliance for legacy devices.
  • Retirement planning: Evaluating when device replacement makes more sense than remediation.
  • System and process implementation: Establishing vulnerability management programs, secure development lifecycles, and ongoing monitoring systems.
  • Regulatory submission support: Preparing documentation for FDA submissions that demonstrate reasonable assurance of cybersecurity.

Get Expert Help With Your Cybersecurity Strategy

CMD specializes in helping medical device manufacturers and healthcare organizations navigate these complex compliance challenges. Our team brings deep expertise in both regulatory requirements and technical implementation, allowing us to develop practical solutions that balance compliance with operational realities.

Whether you need to evaluate your current devices, develop a remediation roadmap, or prepare for FDA submissions, we have the experience to guide you through every step of the process while maintaining operational continuity and patient safety. Contact CMD MedTech to discuss how we can help you evaluate your options and develop a practical compliance strategy.