Managing legacy medical devices that can no longer be patched

In this Help Net Security interview, Patty Ryan, Senior Director and CISO at QuidelOrtho, discusses how the long lifecycles of medical devices impact cybersecurity in healthcare environments. She explains how organizations can protect legacy systems, collaborate with vendors, and adopt proactive, risk-based strategies.

Ryan also shares insights on strengthening cyber resilience as AI-enabled and connected medical devices become more prevalent in healthcare.

Given the long lifecycles of medical devices, how should hospitals handle legacy systems that no longer receive patches?

I believe there are two main approaches to how hospitals can handle legacy systems that no longer receive patches. First, hospitals need to recognize that it is rarely possible to instantaneously remove a medical device, but what you can do is build a wall around that device so that only trusted, validated network traffic will be able to reach the device.

Secondly, close collaboration with vendors is critical to understand available upgrade paths. Most vendors don’t want customers running legacy technologies that heighten security risk. From my perspective, if a device is too old to be secured, that’s a serious concern. Collaborate with your providers early and be transparent about budget and timeline constraints. This enables vendors to design a phased roadmap for replacing legacy systems, steadily reducing security risk over time.

How should healthcare organizations balance compliance-driven security with the need for proactive, risk-based approaches?

A proactive, risk-based approach can support compliance-driven security. Compliance frameworks are attestations to fundamental security controls like patching, access management, and visibility to know when to respond when something happens.

The goal for healthcare organizations should be to move beyond box‑checking compliance by adopting proactive measures, prioritizing education within their own environments, and making informed decisions about how to mitigate or accept risk.

Are there lessons from other industries (like critical infrastructure or IoT security) that healthcare can adapt to medical device security?

Every industry faces its own unique risks, but the underlying security principles remain consistent. Whether it’s IoT, Bluetooth, or connected medical devices, the core fundamentals are the same across all industries. Understand your environment, limit unnecessary connectivity, and design for resilience.

Hospitals manage tens of thousands of interconnected devices with various levels of risk and connectivity. The focus should be on simplification, standardizing technologies, collaborating with vendors to consolidate device footprints, and implementing consistent controls.

We can take a cue from manufacturing, where cyber resilience is essential to limiting the impact of attacks on the production line and broader ecosystem. No single breach should be able to bring down the entire operation. Yet many organizations still run forgotten, outdated systems. It’s critical to retire legacy assets, streamline the environment, and continuously identify and manage risk.

How do you see collaboration evolving between regulators, vendors, and providers to address systemic risks?

We’ve seen meaningful progress when dozens of technology vendors pledged to self-regulate and build cyber resilience into their products from the outset. Unfortunately, that momentum has slowed. In my experience, however, the strongest gains often come from non‑legislative, industry‑led initiatives, when organizations voluntarily choose to prioritize security.

Cyber risk is never going away, yet it remains routinely underrecognized and under-mitigated. If we can make security a competitive differentiator, something that customers actively value when choosing a technology solution, it could create an incentive for vendors. Everyone benefits from a collective effort to reduce cyberattacks, freeing resources from ransomware response and refocusing them on improving patient care and outcomes.

As AI-enabled and connected devices become more common, what new security risks should we be anticipating now?

AI is powerful, it thinks like a human but doesn’t have human judgement. It is only as good as the data it’s trained on. The backend of every AI system is something that people often forget. The risk isn’t how AI operates, but the quality of the data that feeds it, which can be wrong, misleading, or harmful.

When we think about end-to-end security, from how data is collected and protected, to how models are trained and validated, good, clean data is more important than ever in mitigating new security risks. Safeguarding data integrity and ensuring transparency in AI decision‑making will be essential to patient safety as these technologies become more integral to healthcare.