Legacy Medical Devices: Tackling Cybersecurity Concerns

Under the FDA’s updated rules (Section 524B of the FD&C Act), any medical device that includes software, connects to a network, or could be exposed to cybersecurity threats is now classified as a “cyber device” and must meet strict cybersecurity requirements to remain on the market.

Devices that don’t meet these new standards are now considered Pre-524B legacy devices and may still be in use. Common reasons include:

1. High costs associated with replacing or redesigning them

2. Lengthy and resource-intensive FDA approval processes

3. Deep integration with existing clinical workflows that are difficult to disrupt

4. Hardware investments that outlast the supported lifecycle of the software

Despite their proven reliability and regulatory clearance, legacy devices often raise cybersecurity concerns and face resistance from hospital IT teams. Yet because they’re difficult to replace quickly, these devices continue to be sold and deployed, requiring careful navigation around IT objections.

In this bulletin, we will discuss what actions device manufacturers need to take and how to address cybersecurity-related pushback from the hospital IT department. Additionally, we include a real-world example of a cyber attack that was recently reported with a legacy medical device.

Actions legacy device manufacturers can take:

1. Publish the Manufacturer Disclosure Statement for Medical Device Security (MDS2) and the Software Bill of Materials (SBOM), even for legacy devices (partial SBOMs are acceptable if labeled as such).

2. Publish a Legacy Device Cybersecurity Position Statement: what cybersecurity features are supported, what’s not.

3. Offer a risk mitigation guide for hospital IT: network isolation, firewall rules, and user controls.

4. Develop a hardening toolkit (e.g., turn off unnecessary services, default passwords, USB ports).

5. Offer to engage in third-party risk assessments to help the hospital accept the device with “compensating controls.”

6. Provide regular security bulletins or advisories, even if it’s to say no new issues were found.

7. Assign a cybersecurity point of contact for hospitals.

8. Include legacy device handling in the product lifecycle and risk management policies.

Addressing cybersecurity-related pushback from the hospital IT department:

1. Be honest in communicating that this device was designed before current security expectations, but clear guidance is provided to operate it safely.

2. Mention the various measures taken to ensure cybersecurity and minimize risk:

   • Availability of an MDS2

   • Availability of compensating controls to align with hospital IT security policies.

   • Risk mitigation guide for hospital IT

   • Availability of a hardening toolkit

   • Availability of a cybersecurity point of contact for the hospital to address any emergency

   • Availability of a regular security bulletin or advisory – to inform of any issue or otherwise.

Real-World Example: Legacy Vulnerability in FUJIFILM Synapse Mobility

In August 2025, a cybersecurity vulnerability was disclosed in older versions of FUJIFILM’s Synapse Mobility platform (pre-8.2), a widely used medical imaging system. The flaw allowed attackers to bypass role-based access controls and view unauthorized patient data without requiring user interaction.