Can we keep selling a legacy device?

FDA expects manufacturers to act in the interest of patient safety. Continuing to ship new units of an unpatchable device invites enforcement and reputational risk; most manufacturers transition to a successor product instead.

What's the HDO's responsibility?

Per IMDRF N73 and HSCC guidance, HDOs apply compensating controls (segmentation, monitoring, restricted access) and prioritize replacement. Manufacturers must enable that work with clear communication and configuration guidance.

All terms

CybersecurityConnected & Cyber-Physical Devices

Legacy Device Cybersecurity

Cybersecurity considerations for medical devices that cannot be reasonably protected against current threats.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

Definition

A legacy medical device is one that cannot be reasonably protected against current cybersecurity threats - typically because the underlying OS or platform is unsupported (e.g., Windows XP/7, embedded RTOS without update path), the device cannot accept patches, or the manufacturer has ended support. IMDRF/CYBER WG/N73 (2023) defines the term and frames a shared-responsibility model among manufacturers, healthcare delivery organizations (HDOs), and other stakeholders.

What the regulation says

FDA's 2023 guidance and IMDRF N73 both expect manufacturers to publish end-of-support timelines and to communicate clearly to operators when a device transitions to legacy status. HDOs are expected to apply compensating controls (network segmentation, monitoring) for legacy devices that remain in clinical use.

What this means in practice

Legacy devices are ubiquitous in hospitals - imaging systems, infusion pumps, lab analyzers - and are repeatedly implicated in ransomware incidents. The right response is a documented end-of-life plan, transparent communication to operators, and a path to a supported replacement, not silent obsolescence.

Common pitfalls

•Letting devices age into legacy status without notifying operators or providing compensating-control guidance.
•Assuming HDO network segmentation alone substitutes for manufacturer responsibility.
•Continuing to sell new units of a device that can no longer be patched.

Frequently asked questions

Per IMDRF N73, when it can no longer be reasonably protected against current threats - typically tied to the end of OS/platform support. The manufacturer should declare and communicate the date.

Cross-references

Primary references

3 sources

Link health: 2 verified 1 bot-blocked· last checked 2026-05-09

IMDRF·1FDA·1HSCC·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Sources: 3
Updated: 5/5/2026

Compare with another term

Learn in 60 seconds

Cybersecurity considerations for medical devices that cannot be reasonably protected against current threats.

·Legacy devices are ubiquitous in hospitals - imaging systems, infusion pumps, lab analyzers - and are repeatedly implicated in ransomware incidents.
·The right response is a documented end-of-life plan, transparent communication to operators, and a path to a supported replacement, not silent obsolescence.
·IMDRF/CYBER WG/N73 (2023) defines the term and frames a shared-responsibility model among manufacturers, healthcare delivery organizations (HDOs), and other stakeholders.

Remember this

Watch out: Letting devices age into legacy status without notifying operators or providing compensating-control guidance.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.

Definition

What this means in practice

Frequently asked questions

See also

Primary references