Stay updated with the most recent editions of ODT Magazine, featuring comprehensive coverage of the latest innovations and developments.
Access the full digital version of ODT Magazine, complete with interactive features and enhanced content for a seamless reading experience.
Join the ODT community! Subscribe to receive the latest industry news and insights delivered directly to your mailbox.
Discover how 3D printing and additive manufacturing are revolutionizing orthopedic device design and production processes.
Learn about contract manufacturing solutions in the orthopedic sector, emphasizing quality, compliance, and operational excellence.
Stay informed on the latest research and development trends in orthopedic device design, driving innovation and patient care improvements.
Explore the latest advancements in surgical instruments and technologies that enhance precision and outcomes in orthopedic procedures.
Discover cutting-edge machining and laser processing techniques that improve the quality and performance of orthopedic devices.
Learn about the innovative materials shaping orthopedic devices, focusing on performance, biocompatibility, and regulatory compliance.
Stay updated on advanced molding techniques for producing high-quality orthopedic components that meet industry standards.
Explore best practices for packaging and sterilization methods that ensure the safety and efficacy of orthopedic devices.
Discover the role of software solutions in enhancing orthopedic device design, functionality, patient management, and regulatory compliance.
Learn about essential testing methods and standards that ensure the safety, reliability, and effectiveness of orthopedic devices.
Stay ahead with real-time updates on significant news impacting the orthopedic device sector.
Access unique content and insights not available in the print edition of ODT Magazine, offering deeper dives into important topics.
Explore feature articles that provide in-depth analysis on specific topics within orthopedic design and technology.
Gain insights from industry experts through regular columns addressing critical challenges and innovations in orthopedics.
Read the editorial insights on current trends and highlights from the latest issue of ODT Magazine.
Discover leading companies in orthopedic design and technology, showcasing their innovations and contributions to the field.
Explore detailed profiles of companies in the orthopedic device manufacturing sector, highlighting their capabilities and offerings.
Learn about the expertise and resources of leading companies in the orthopedic device manufacturing sector.
Watch informative videos featuring industry leaders discussing trends, technologies, and innovations in orthopedic design.
Enjoy short, engaging videos that provide quick insights and updates on key topics within orthopedics.
Tune in to discussions with industry experts sharing their insights on trends, challenges, and innovations in orthopedic technology.
Participate in informative webinars led by industry experts covering various relevant topics in orthopedic design and manufacturing.
Stay informed on the latest press releases and announcements from leading companies in the orthopedic device manufacturing sector.
Access comprehensive eBooks that delve into various topics in orthopedic device manufacturing and innovation.
Highlighting the pioneers and innovators driving advancements in orthopedic technology and patient care.
Explore sponsored articles and insights from leading companies in the orthopedic industry.
Read in-depth whitepapers that examine key issues, trends, and research findings in orthopedic design and technology.
Discover major industry events, trade shows, and conferences focused on orthopedic technology and innovations.
Get real-time updates and insights from major industry shows and exhibitions happening around the world.
Participate in the ODT Forum, addressing orthopedic design and manufacturing technology trends, innovations, and industry challenges.
Attend the MPO Summit for insights and strategies from industry leaders shaping the future of medical device technology.
Join discussions and networking opportunities at the MPO Medtech Forum, focusing on the latest trends and challenges in the industry.
Explore advertising opportunities with ODT to connect with a targeted audience of orthopedic professionals.
Review our editorial guidelines for submissions and contributions to ODT.
Read about our commitment to protecting your privacy and personal information.
Familiarize yourself with the terms and conditions governing the use of odtmag.com.
What are you searching for?
Legacy medical devices are susceptible to exploitation, jeopardizing patient safety, given their average life span of 15+ years.
October 27, 2025
By: Seyed Khorashahi
Principal at LSC Group
By: Joseph Silvia
Chief Executive Officer at Medware Cyber
The rapid advancement of technology used in connected medical devices has greatly improved patient care. However, utilization of advanced technology has also expanded the attack surface and poses an unprecedented cybersecurity challenge that impacts patient safety and operational resilience of the Healthcare Delivery Organizations. In recent years, the healthcare sector, including orthopedic medical device manufacturers and providers, has experienced a growing number of serious cybersecurity incidents. These incidents can have significant consequences, including patient data breaches and disruption of patient care.
A survey conducted by RunSafe Security’s “2025 Medical Device Cybersecurity Index” assessed 605 healthcare executives across the U.S., UK, and Germany involved in medical device purchasing and familiar with organizational cybersecurity protocols. Findings show:
Furthermore, the data from the same survey shows:
Legacy medical devices are susceptible to exploitation, jeopardizing patient safety, given their average life span of 15+ years. While cybersecurity threats evolve much faster, the challenges with legacy medical devices include outdated technology, resource constraints, and interoperability issues. Many legacy devices also lack robust security features and face difficulties in updating software. Most legacy devices were created prior to many present-day threats, and the design of their hardware and/or software limits potential mitigations.
Regulatory authorities like the U.S. Food and Drug Administration (FDA) have responsibility for assuring the safety, effectiveness, and security of medical devices. This requirement is independent of the device’s time on the market, whether legacy or newly launched. Also, FDA recognizes that medical device security is a shared responsibility among stakeholders throughout the use environment of the medical device system, including health care facilities, patients, health care providers, and manufacturers of medical devices. The primary purpose of cybersecurity is to enforce confidentiality, integrity, and availability—known as the CIA triad. Failure to protect the confidentiality of information will result in HIPAA non-compliance, reputational damage, and potential litigation. Failure to protect the integrity and availability of information will lead to patient safety issues. This article will review several common elements of cybersecurity and unpack how to protect your legacy medical devices, including:
Secure Product Development Lifecycle
ANSI/ISA 62443-4-1 Security for industrial automation and control systems Part 4-1: Product security development life-cycle requirements is an FDA-recognized consensus standard. Key practices within the standard include security management, specification of security requirements, secure design principles, and continuous improvement strategies. Organizations with legacy devices are encouraged to adopt a defense-in-depth approach, which involves multi-layered security defense measures to protect against various threats.
Threat modeling is a process to identify threats and vulnerabilities across the medical device echo system. This includes defining risk controls to prevent, mitigate, monitor, or respond to the effects of threats throughout the lifecycle of the medical device. The FDA recommends threat models should:
The MITRE Playbook for Threat Modeling Medical Devices was originally designed by the Medical Device Innovation Consortium (MDIC) and is used for modeling medical devices within regulatory standards. This Playbook was created in collaboration with FDA, select industry thought leaders, and industry participants. It is a broad vision of the responsibilities needed for incident response, security protocol, product development, and other cyber hygiene programs.
MITRE playbook is a structured method for implementing threat-informed defense strategies across the cybersecurity lifecycle comprised of:
The following four questions form the core of Adam Shostack’s approach to threat modeling, as introduced in his book: Threat Modeling: Designing for Security (published in 2014) and later adopted into MITRE playbook.
The STRIDE model is a second framework that can support medical device software developers with threat enumeration. Six concepts make up the STRIDE acronym, each of which is critical to medical device cybersecurity:
Incorporating the STRIDE Model into the medical device development process can provide software developers with a systematic approach to threat enumeration, ultimately leading to more secure and resilient devices that safeguard patient safety and data.
Microsoft also developed a model for risk assessment called DREAD. The DREAD name comes from the initials of the five categories listed below:
Following is an example template for summarization of the threat modeling utilizing STRIDE and DREAD:
The following are all the risk controls recommended by FDA:
Cybersecurity testing is the method utilized to ensure effectiveness of risk mitigations and implementation of security requirements. This includes:
Security Requirements: Provide objective evidence that all security requirements of the device have been implemented successfully.
Threat Mitigation: Provide objective evidence that all cybersecurity risk controls effectively mitigate the identified risks.
SAST: Static application security testing analyzes source code to detect security vulnerabilities. Perforce Klocwork SAST is an example of a widely used static analysis tool that performs a symbolic execution of the source code to identify defects and security vulnerabilities.
DAST: Dynamic application security testing simulates real-world attacks to examine system responses in production environments. CheckMarx DAST is an example of a tool that helps identify runtime vulnerabilities.
Penetration Testing (Pen Testing): A simulated system penetration test performed by independent internal or external tester(s) to discover and exploit security vulnerabilities in the device.
Cyber enabled device Manufacturers are required to create a postmarket cybersecurity risk management process. This process monitors cyber signals to ensure all devices input, action, and output to ensure the safety and effectiveness of the device. The postmarket cybersecurity risk management process is paramount to keeping legacy devices secure. An example of this input/action/process model includes:
Input—Cybersecurity signals
Action—Triggered by cybersecurity signals
Output—Pro-active & transparent enhanced cybersecurity
The definition of an SBOM, as written in the U.S. Executive Order (EO) 14028, is a “formal record” containing the details and dependencies of various components used in building medical device software. This applies to both Software as a Medical Device (SaMD) and Software in a Medical Device (SiMD). The SBOM includes open source, Consumer off-the-shelf (COTS), and custom (bespoke) software components and is created when the software is released. SBOMs are crucial for improving transparency, cybersecurity, and reinforcing supply chain security. The vulnerability information can potentially be found on the National Vulnerability Database (NVD). SBOMs are living documents throughout the lifespan of the product and updated as information becomes available. Accurate documentation of SBOMs will be beneficial for Healthcare Delivery Organizations, Medical Device Manufacturers, and regulatory bodies by enhancing security.
Due to difficulty in applying updates to outdated products, Legacy medical devices pose many cybersecurity challenges to meet FDA’s expectations to protect confidentiality, integrity, and availability. The FDA guidance documents apply to both newly launched and legacy medical devices to ensure safety and effectiveness of these products in their environment of use. Performing threat modeling, utilizing cybersecurity testing techniques, and monitoring all play a crucial role in achieving a more effective security posture for legacy devices. The Software Bill of Materials (SBOM) also plays a key role in helping medical device manufacturers and health delivery organizations to identify and address cybersecurity threats more effectively. Health Delivery Organizations (HDOs) have often used compensating controls such as firewall rules for intrusion prevention systems. Additionally, HDO’s utilize the isolation of legacy medical devices from critical l systems to prevent unauthorized access. By using these security monitoring tools, the detection of suspicious activities is possible.
Seyed Khorashahi is principal at LSC Group, a medical device consulting firm based in Boulder, Colo. LSC Group supports life science industry clients who need cradle-to-grave regulatory compliance expertise.
Joseph Silvia is chief executive officer at Medware Cyber, a cybersecurity firm based in Boston, Mass. Medware Cyber specializes in security throughout the entire medical device lifecycle, from design and development to disposal.
Enter the destination URL
Or link to existing content
Enter your account email.
A verification code was sent to your email, Enter the 6-digit code sent to your mail.
Didn't get the code? Check your spam folder or resend code
Set a new password for signing in and accessing your data.
Your Password has been Updated !
