Many medical devices vital to patient care operate for decades, and their operational lifespan often exceeds the support lifecycle of their embedded software. This creates a class of devices known as legacy systems, which can no longer receive security patches from their manufacturers. These devices frequently run on unsupported operating systems with well-documented vulnerabilities, presenting a persistent challenge for healthcare cybersecurity.

The continued use of these unpatchable devices is a matter of operational reality for many healthcare delivery organizations (HDOs). The high cost and logistical complexity of replacing major equipment, such as MRI machines or CT scanners, means they remain in service long after their software is considered obsolete.

The Scope of the Vulnerability in Healthcare

Legacy medical devices are prevalent across the healthcare industry, performing critical functions in diagnostics, treatment, and patient monitoring. The inability to patch their software leaves them exposed to known security flaws that attackers can exploit. This situation is not theoretical; it is a documented state of infrastructure within many hospitals and clinics. The core issue is that while the hardware remains functional for patient care, the underlying software becomes a fixed liability from a security perspective. This requires HDOs to shift from a patch-based security model to one based on risk acceptance and mitigation.

Established Risk Mitigation Strategies

In response to the inability to patch, cybersecurity professionals and HDOs implement a series of compensating controls to manage the associated risks. The primary strategy is network segmentation. This involves isolating legacy devices onto their own protected network segments, restricting inbound and outbound communication to only what is absolutely necessary for their function. This practice limits the device’s exposure to threats originating from the broader hospital network or the internet.

Another key practice is robust asset management. Maintaining a comprehensive and accurate inventory of all networked devices, their operating systems, software versions, and manufacturer support status allows security teams to identify and prioritize risks effectively. HDOs also deploy additional security layers, such as dedicated firewalls, intrusion detection systems, and strict access controls, to protect these vulnerable assets. These measures create barriers to limit the exploitability of the underlying software flaws.

Source: https://www.helpnetsecurity.com/2025/10/28/patty-ryan-quidelortho-legacy-medical-devices-cybersecurity/