Cybersecurity for Legacy Devices

Cybersecurity for Legacy Devices

Cybersecurity for legacy medical devices plays a crucial role in healthcare but to remove these devices may pose a greater risk to patient safety, clinical operations, and financial stability than to leave them in service. The challenging task of “securing” these legacy devices is paramount. It must be recognized that overall management of the risk is a joint responsibility throughout a device’s lifespan. Understanding the scope and financial aspects from both the Medical Device Manufacturers (MDMs) and Health Delivery Organizations (HDOs) perspectives is crucial for informed decision-making by both parties, particularly in ensuring the security of these legacy devices.

What is a Legacy medical device?  A legacy medical device refers to those devices that cannot reasonably defend against current cybersecurity threats.
This category encompasses devices that exceed their declared end of support or end of life, often lacking the capacity to address contemporary cyber risks.  Key words to consider are reasonably and current cybersecurity threats (i.e., not the cybersecurity threats when the device was initially released to market).

The Healthcare and Public Health Sector Coordinating Council (HSCC), and International Medical Device Regulators Forum (IMDRF) working groups have done valuable work in identifying the challenges posed by legacy medical devices and providing recommendations, frameworks, and processes to address them. Nonetheless, some challenges and gaps remain in implementing those recommendations: The FDA partnered with MITRE to produce the Next Steps toward Managing Legacy Medical Device Cybersecurity Risks white paper which focuses on near-term solutions, and providing advice on operationalizing key recommendations that attempt to address these challenges.  Download the report:  MITRE-PR-23-3695-Managing-Legacy-Medical-Device Cybersecurity-Risks

Recommendations from the report:

Developing Shared Responsibility over the Medical Device Lifecycle

1.Pilot data collection to support decision making for legacy device risk management Shared responsibility over the medical device lifecycle.

2.Develop information sharing agreement templates to increase transparency

3.Establish security architecture working group

4.Develop research program in modular design for medical devices

Vulnerability Management Study

5.Conduct study on vulnerability management coordination

Workforce development 

6.Development of competency models for roles related to legacy cyber risk management

7.Identify resources for workforce development

Mutual Aid Partnerships

8.Participation in mutual aid partnerships

What is Threat Modeling?  See our post: MITRE Threat Modeling Playbook

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:




Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.