Why HTM teams must treat “old but working” as a high-stakes cyber risk—and how to protect patients and operations now.

By Alyx Arnett

Health care experienced the highest number of cyberthreats among critical infrastructure sectors in 2024, yet hospitals are still depending on legacy medical devices that were never built for today’s threat landscape.¹ These legacy devices remain essential for patient care, but their outdated security capabilities make them increasingly difficult to defend.

“Legacy devices are one of the weak spots in healthcare cybersecurity,” says Axel Wirth, CPHIMS, CISSP, HCISPP, AAMIF, FHIMSS, chief security strategist at medical device cybersecurity provider MedCrypt. “By definition, these are devices that cannot be reasonably protected against current cyber threats.”

While many attacks aren’t aimed specifically at hospitals, outdated devices often match the profile of broader exploits, making health systems “collateral damage,” says Wirth. At the same time, “Attackers frequently use legacy devices as a stealth entry point into broader hospital IT,” says Dewank Pant, a security engineer on Amazon’s artificial intelligence (AI) security team. “Because they can’t easily be updated, they create persistent blind spots.”

For healthcare technology management (HTM) professionals, the challenge is to manage an entrenched risk while keeping clinical operations moving. 

How Legacy Devices Get Impacted

The biggest security risk for legacy devices, Wirth says, is always the operating system. “There are certain commercial operating systems that are widely popular, widely distributed, have a high level of exposure, and therefore many techniques, exploits, and malware have been written targeting these operating systems,” he says. “Medical devices that run these versions of operating systems that are no longer patched are exposed.”

The WannaCry ransomware attack of May 2017 is a key example.² The global cyberattack infected more than 200,000 computers running Windows across 156 countries, including 1,200 diagnostic devices that disrupted operations at 81 National Health Service hospitals, 603 primary care facilities, and 595 medical practices. “Many hospital imaging systems and diagnostic devices were still running Windows XP/7 with no patch support, which allowed ransomware to spread rapidly across networks and delay care,” says Pant. 

Not all threats rely on outdated operating systems, however. In early 2025, US authorities discovered that the Contec CMS8000 patient monitor, released around 2011, contained a built-in backdoor that could allow remote code execution and potential patient data exposure and safety risks. The firmware contained a hard-coded IP address registered to a Chinese university, but CISA noted that while the devices attempted to connect, no actual communication with the IP was observed.

Other attack vectors are more low-tech but still effective. USB thumb drives, for instance, remain a possible entry point, Wirth says. As a clinician or service technician moves software from site to site, an infected drive can transfer malware between facilities. “And, again, legacy devices in general are much riskier, especially if those are built on commercial operating systems,” Wirth says.

The risks don’t end with the devices themselves. Hospital networks increasingly depend on a wide range of connected systems and outside services, making it essential to understand who has access and how data flows. “There must be a meaningful effort to inventory the universe of vendors, partners, and subcontractors that interface with the digital environment,” says Jeff Le, managing principal at 100 Mile Strategies, a public sector navigation, communications, and policy consultancy, and fellow at George Mason University’s National Security Institute.

Patient Harm and Limiting Factors

The biggest cybersecurity concern, says Wirth, is patient safety. “That harm can result from direct impact—incorrect diagnosis, wrong doses—or indirect harm through delay of care,” he says. In some recent cases, those delays have been fatal. Wirth points to a ransomware-related death in the United Kingdom tied to a pathology provider outage and to a United States case where communication delays during a hospital ransomware attack contributed to an infant’s death months later.^3,4

If the risks are so high, why do legacy devices persist? Hospitals face multiple constraints—cost, specialization, time, and clinical impact—that make replacement anything but straightforward. Some devices are so specialized that there’s no quick substitute on the market, while others can’t be taken offline for days or weeks to be replaced when patients depend on them for treatment, says Shankar Somasundaram, founder and CEO of cybersecurity provider Asimily.

Cost is another major factor, with some replacements reaching $1 million to $2 million per unit. Time is also limited, Somasundaram adds. “I’ve worked with HTM all over the country, and they have…so little time. So how do you solve a problem when you have little time and many constraints?” he says.

Because of these barriers, hospitals must often balance risk mitigation with financial and operational realities. Tyler Reguly, associate director of security research and development at cybersecurity company Fortra, notes that purchasing devices released after the Protecting and Transforming Cyber Healthcare (PATCH) Act—a 2023 law expanding US Food and Drug Administration cybersecurity requirements—is the ideal long-term solution. But when budgets make that unrealistic, he says hospitals must rely on mitigations to manage exposure.

Still, Greg Garcia, executive director of the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group, cautions that not every vulnerability can be mitigated. “If it’s addressable, you can patch it, update it, or put a workaround in place,” Garcia says. “An unaddressable risk means, no, sorry, this thing is sitting out there, and it’s just target practice for the hackers.”

Where to Start

The first challenge is often understanding the full scope of risk. “Most health systems may not be aware of the number of legacy medical devices they have,” says Somasundaram. “You can’t secure what you don’t know.” 

Begin with inventory. Kiran Chinnagangannagari, co-founder and chief product and technology officer at cybersecurity provider Securin, frames this as the foundational map for everything that follows. It should answer where legacy devices sit, what they run, how they communicate, and who touches them. Somasundaram cautions that if the inventory process is manual, it must be updated regularly, as it can quickly become outdated.

Pant recommends pairing inventory with basic baselining—establishing what “normal” looks like for each device. Record details like the operating system, firmware version, typical usage hours, and standard network activity, so unusual behavior, such as unexpected traffic or continuous operation, can be spotted quickly.

Whether just beginning or already well into mitigation efforts, Somasundaram recommends tackling the challenge incrementally rather than trying to solve it all at once. “You can’t eat the elephant whole,” he says. “Break it into pieces because moving forward is better than staying still.” 

Segment, Isolate, Monitor

With inventory and baselining in place, the next step is putting those insights to work by isolating high-risk devices and monitoring for unusual activity. Stakeholders say segmentation is one of the highest-yield controls most hospitals can implement quickly. Pant recommends placing legacy devices in their own virtual local area network and enforcing firewall rules that only allow essential traffic in and out. 

Kaarthick Subramanian, chief customer experience officer at cybersecurity provider Atlas Systems, explains the benefit: “For example, you have an MRI scanner. That machine is isolated within a network so that if there is an impact on any other equipment, that doesn’t cascade down to other equipment within the network.” 

Pant advises configuring alerts for unusual network behavior, such as unexpected outbound connections. He recommends using open-source tools such as Wazuh or Zeek, which can be deployed inexpensively to capture logs and network traffic. “Even a lightweight setup can flag such anomalies,” he says.

Conducting manual spot checks can help catch problems early. “A monthly Nmap—an open-source, free tool—of the subnet where legacy devices reside can reveal new open ports or unauthorized changes that may indicate compromise,” Pant says.

To reinforce these protections, Reguly stresses the importance of getting the basics right. This means never exposing devices directly to the internet, he says. He also recommends hardening devices by enabling port security, removing default passwords and unsecured services, and placing firewalls in front of devices—even within the internal network—to further limit exposure.

Prioritize by Risk and Get Buy-In

Subramanian recommends a risk-based approach to securing legacy devices. He says to consider two primary factors:

• Clinical criticality: How essential is the device to patient care? Would a compromise delay treatment, interrupt diagnostics, or pose safety risks? 
• Exposure: How vulnerable is the device based on where it sits and how it’s maintained? Factors include network connectivity, unsupported operating systems, default credentials, and whether the vendor still provides security patches.

Devices that are both clinically critical and highly exposed should sit at the top of the priority list. For devices identified as high-risk and unaddressable, Pant advises developing a structured decommissioning plan. 

“For an HTM team with limited time, budget, and personnel, the key is to focus on actions that provide the greatest risk reduction for the least cost and effort,” says Chinnagangannagari.

Establishing clear prioritization, says Le, will help with necessary investments and to scope a strategy-aligned budget, says Le. “Such direct action will help with digital visibility and buy-in internally on what cyber success looks like.”

Without buy-in, Amazon’s Pant says, “even the best technical plan fails.” When engaging clinicians, he advises avoiding technical jargon like “network segmentation” and instead explaining that isolating a vulnerable device helps prevent treatment delays or inaccurate readings if the device is compromised. For administrators, Pant recommends framing the conversation in business terms: Highlight potential HIPAA penalties and fines, the financial impact of downtime, reputational risks, and provide concrete examples where outdated devices directly affected patient care.

Work With IT—And With Vendors

Many HTM teams don’t control the enterprise network, which can make segmentation and monitoring feel out of reach. Reguly argues that this is where silos between HTM and IT must fall. “The goal at the end of the day is the security of the network,” he says. “If they’re worried about the overall security of the network, your devices are one of the big things they need to worry about.” 

He recommends using a ticketing system or scheduling regular sync meetings so that HTM and IT teams can collaboratively align priorities and address gaps. 

Vendor governance is equally important. Garcia emphasizes shared responsibility between medical device manufacturers and healthcare delivery organizations and recommends using the HSCC’s Managing Legacy Technology Security 2023 guide to help define roles and responsibilities as devices age. The guide outlines where manufacturer obligations end and healthcare delivery organization responsibilities begin, helping HTM teams better plan for security, support, and replacement decisions.

Wirth recommends verifying vendors’ security practices during procurement to help reduce future legacy device risks. He advises buyers to request key cybersecurity documentation—including instructions for use, current MDS2 forms, and a software bill of materials—to understand how transparent and proactive vendors are about security. “All those things give you a feeling of how security-competent the vendor is. Can they produce those documents? Are they current? Do they withstand the smoke test?” he says.

Reguly recommends holding vendors accountable. “Vote with your wallet,” he says. “If a vendor is not going to work with you, not going to provide the security updates, is there a competitor you can work with next time?”

Looking Ahead: AI, Policy, and the Future of Legacy Devices

The healthcare sector is seeing increased regulatory attention on device security, with a recent congressional hearing examining the risks posed by legacy devices and measures like the PATCH Act raising cybersecurity expectations for new devices. “Devices being market-approved today are more secure than anything from five, 10, and more years ago,” says Wirth. “But at the same time, we have 10 or 20 years’ worth of old devices in our hospitals that need to be addressed.”

That challenge is only growing as cyberattacks evolve. Wirth warns that adversaries are already using AI tools to craft more targeted and sophisticated exploits. Garcia points to AI-powered social engineering attacks, which make phishing emails harder to spot. “AI will send you an email, and it looks absolutely legitimate. But it isn’t,” he says. 

Stakeholders agree there’s no single fix. Progress will require practical security measures, cross-department collaboration, and perhaps new funding models to help hospitals replace aging systems. Somasundaram points to an approach in Germany that could serve as a model, where a national program required hospitals to create cybersecurity plans and provided dedicated funding to support implementation. “If you give them a little bit of financial support, a lot of them will lean in and at least do something about it,” he says. 

Still, Garcia cautions that one-time payouts aren’t enough to solve a decades-long issue. 

While policymakers, manufacturers, and health systems debate long-term solutions, Wirth stresses that HTM teams cannot afford to wait. “The longer you push it out, the more painful it is,” he says. “Start now where you still have a level of control…rather than waiting until a cyber incident, patient incident, or regulation forces you to react in a less desirable way.”

References

1. Internet Crime Complaint Center. 2024 Internet Crime Report. FBI; 2025. Available at https://www.aha.org/system/files/media/file/2025/05/2024-fbi-internet-crime-report.pdf 
2. Collier R. NHS ransomware attack spreads worldwide. CMAJ. 2017;189(22):E786-7. 
3. Sollof J. Patient death linked to cyber attack on NHS pathology provider. Digital Health. 2025 June 2026. Available at https://www.digitalhealth.net/2025/06/patient-dies-as-a-result-of-cyber-attack-on-nhs-pathology-provider/
4. Poulsen K, McMillan R, Evans M. A hospital hit by hackers, a baby in distress: the case of the first alleged ransomware death. The Wall Street Journal. 2021 Sept 30. https://www.wsj.com/health/healthcare/ransomware-hackers-hospital-first-alleged-death-11633008116

ID 319849900 © Justlight | Dreamstime.com