Blog

Legacy Devices and FDA Cybersecurity: What You Need to Know

Topics:
FDA cybersecurity readiness
This is some text inside of a div block.
Regulatory
This is some text inside of a div block.
Thought leadership
This is some text inside of a div block.
Naomi Schwartz
Naomi Schwartz

September 9, 2025

Legacy Devices and FDA Cybersecurity: What You Need to Know

Legacy Devices and Cybersecurity: What You Need to Know

Introduction: Why This Matters

When people talk about “legacy devices,” the conversation often gets muddy. Are we talking about devices that are no longer marketed or supported by the manufacturer? Devices that are still being sold or supported but cleared before formal cybersecurity market entry requirements were established? Or devices that are out of production but still in use at hospitals?

Those categories may vary based on your respective point of view, but here’s the key point: FDA doesn’t differentiate between sold, supported, or in use. What matters is whether a device is being cleared for market introduction or has been modified in a way that requires resubmission. If so, it must comply with 524B. If not, FDA quality system regulations (QSR) and risk management expectations still apply (even if 524B does not). 

With 524B already in force since 2023 - and the FDA’s most recent (June 2025) guidance clarifying how it applies to new submissions and certain modifications - the real question manufacturers and healthcare providers are asking is: what does this mean for devices already on the market and in use?

At the same time, we’ve seen data showing that healthcare delivery organizations (HDOs) are willing to pay more for products that have cybersecurity built in - proven with artifacts like an MDS2 or SBOM - and that come with a reasonable support horizon before end-of-life (EOL). The bigger challenge is what to do with the inventory of older devices already in use. Meanwhile, in procurement, hospitals are increasingly preferring devices that can demonstrate security and lifecycle planning from day one. 

A Simple Timeline for Legacy Devices

Before 524B (pre-March 2023 law / October 2023 enforcement via eSTAR)

  • Devices cleared or approved before 524B do not have to retroactively meet its requirements.
  • Instead, they are only expected to comply with regulations and guidances that existed at the time they were cleared.
  • FDA cybersecurity guidance has been around since 2014; guidance is a set of recommendations that are typically tied back to the quality system regulation. Now with the amendment to the FD&C Act, certain elements of cybersecurity fall under FDA’s statutory law, which makes them enforceable requirements. Other elements remain “recommended” in guidance, but when tied to statutory provisions, these recommendations carry more weight in reviews.

After 524B

  • Any new device submissions (510(k), De Novo, or PMA) must meet the 524B requirements. As per the latest (June 2025) FDA guidance, this also includes certain device modifications.
  • These requirements include security documentation such as SBOMs, a plan to monitor, identify and address vulnerabilities and exploits, processes and procedures to ensure cybersecurity of the design and clear support/patching plans.

The Catch for Legacy Devices

If you make changes to your device (software update, supplier change, new component, etc.) this may qualify as a modification that needs to be submitted to FDA again, in which case, 524B cybersecurity requirements apply.

In practice, that means most active product lines will eventually get pulled into 524B territory. True “legacy” devices that are no longer manufactured or maintained may never trigger 524B - but may still have to meet previous, albeit less stringent, cybersecurity requirements. 

This poses a risk to manufacturers:

  • Recalls (corrective actions or removals): Vulnerabilities or exploits may require costly corrective actions or possibly removals.
  • Regulatory scrutiny: On-market failures can trigger additional FDA inspections or postmarket reviews. 
  • State of the art: Devices not designed to the prevailing state of the art may be subject to FDA action under Section 518(b) of the FD&C Act - known as the “Three R’s” - where the FDA can order manufacturers, importers or distributors to repair, replace or refund medical devices that pose an unreasonable health risk.

Why It’s Still Complicated

  • Safety always applies. Even pre-524B devices must still be “safe,” and cybersecurity vulnerabilities can undermine safety.
  • Guidance vs. law. FDA guidance from earlier eras still matters in reviews, but guidance documents are not legally binding unless tied to statutory requirements.
  • Healthcare provider liability. FDA doesn’t regulate hospitals’ use of old devices, providers may face liability if they knowingly use unsupported technology that could compromise patient safety.
  • Proposed HIPAA update. A recent proposal (still uncertain politically) would require providers to prove segmentation and isolation controls for legacy devices. That could shift responsibility to hospitals as early as 2026.

The Purchasing Perspective: Why This Matters to MDMs

Here’s the shift that matters most:

For hospitals (HDOs): 

  • They must manage fleets of older devices already in inventory, often without cybersecurity documentation. 
  • Compensating controls, network segmentation, or eventual replacement are the only real options. 

For procurement: 

  • Hospitals are increasingly willing to pay a premium for new devices with provable cybersecurity maturity - SBOM, MDS2, and lifecycle commitments included. 
  • That makes it harder to justify buying or deploying devices where cybersecurity is undocumented or uncertain.

For manufacturers (MDMs):  

  • Future-proofing products is no longer just about compliance, it’s about marketability. Devices that demonstrate cybersecurity maturity will win procurement decisions, while devices without that proof risk being sidelined earlier in their lifecycle. 

The Moral of the Story

Legacy devices aren’t “free passes.” While 524B doesn’t retroactively apply, certain update can bring them into scope. And regardless, both manufacturers and healthcare providers remain accountable for managing cybersecurity risk within their domains

  • Manufacturers (MDMs) must maintain compliance with QSR and risk management expectations, even for older products. 
  • Healthcare delivery organizations (HDOs) must weigh the risks of continuing to use unsupported devices and implement appropriate compensating controls..
  • Everyone should expect more regulatory pressure - and more commercial pressure - to reduce legacy risk in the years ahead.

Additionally, as noted above, any product cleared or approved and sold into the US market is still subject to FDA regulations at the time of clearance or approval, including the Quality System Regulation (Part 820), and Section 518(b) of the FD&C Act’s “Three R’s,”  Postmarket cybersecurity problems can lead to costly repair, replacement or refund obligations.

Join the Conversation: Upcoming Webinar

This topic is bigger than a single blog post. We’ll be digging deeper into:

  • FDA’s current stance on legacy devices
  • What actually triggers 524B enforcement
  • How providers and manufacturers can prepare for future enforcement and market shifts

Webinar: The Legacy Dilemma: Navigating Security, Responsibility, and Regulation for Connected Medical Devices 

Date: Sept 18, 2025 08:00 AM

Speakers: 

Axel Wirth, Chief Security Strategist, Medcrypt

Christian Rosenzweig, Medical Device Consultant, Johner Institut

Register Here

Closing Thought

Legacy devices may be grandfathered in on paper, but real-time cybersecurity risks don’t care about approval dates. And hospitals are increasingly favoring devices that prove security was part of the design and supported over a clear lifecycle.. 

The question isn’t just “does the law apply?” It’s: will your devices stand up to both regulators and the market five years from now.  

Related articles

DevSecOps for Medical Devices: Ship Fast. Prove it Easily.
This is some text inside of a div block.

DevSecOps for Medical Devices: Ship Fast. Prove it Easily.

Software Bill of Materials (SBOM)
This is some text inside of a div block.
Tools & processes
This is some text inside of a div block.
Vulnerability management
This is some text inside of a div block.
All authors
All authors

September 15, 2025

From Cost Center to Growth Driver: Why Product Cybersecurity is a Business Imperative
This is some text inside of a div block.

From Cost Center to Growth Driver: Why Product Cybersecurity is a Business Imperative

Product Security Benchmarking and Planning
This is some text inside of a div block.
Naomi Schwartz
Naomi Schwartz

September 17, 2025

Preparing for the Post-Quantum Era: What Medical Device Manufacturers Need to Know
This is some text inside of a div block.

Preparing for the Post-Quantum Era: What Medical Device Manufacturers Need to Know

All topics
This is some text inside of a div block.
All authors
All authors

September 10, 2025

Subscribe to Medcrypt news

Get the latest healthcare cybersecurity news right in your inbox.

We'll never spam you or sell your information