We have all dealt with outdated technology. An old phone that no longer gets updates. A laptop that takes minutes to boot. The stubborn printer that jams every second page.
You have probably seen a payment kiosk crash, revealing an ancient Windows XP desktop beneath. Glitches are particularly annoying when they happen to an ATM.
But hospitals have similar problems. And here, it is no laughing matter.
Many medical devices stay in service long after the manufacturer stops supporting them. MRI scanners, CT machines, and X-ray equipment can remain in use for decades. So can the smaller devices (the ones patients carry or wear), like insulin pumps and pacemakers.
These devices often run outdated software, and in many cases, they are still connected to hospital networks.
Fiction often imagines the worst. You might have seen the episode of “Homeland” in which terrorists hack into the pacemaker of the fictional Vice President of the United States and assassinate him. The idea is unsettling. In reality, vulnerabilities have been found in both pacemakers and insulin pumps (pacemakers in 2017, and insulin pumps in 2022).
Thankfully, they have not yet been exploited by attackers in the wild. Still, the risk is real.
The Invisible Problem
For most people, the thought never enters their heads. You have an MRI and trust the machine without question. You have no reason to wonder if its operating system is a decade old. You don’t ask whether it is receiving security updates.
Tyler Reguly, Associate Director, Security R&D at Fortra, has seen this pattern up close. He notes that some vendors have been reluctant to even discuss vulnerabilities in their products. When he once ran a lab teaching people how to test and secure Internet of Things devices, he tried to obtain medical equipment for security testing. Vendors refused.
Why? Because in the United States, the Food and Drug Administration regulates these devices. If a security flaw is confirmed, it could lead to a costly recall. For a vendor, an end-of-life device is convenient.
They are no longer responsible for maintaining it. For a hospital, that same device might be too expensive to replace. The result is predictable: outdated, unsupported devices remain in use. They carry vulnerabilities that no one is patching, yet they are connected to networks that store sensitive patient data.
What the PATCH Act Does, and Doesn’t Do
Two years ago, the Protecting and Transforming Cyber Health Care (PATCH) Act became law. Reguly says it requires manufacturers to include cybersecurity plans in their submissions for new devices. Vendors must also commit to providing patches for known vulnerabilities throughout the device’s supported lifecycle.
This is a major shift. It moves medical device security closer to what the software industry already practices. For new devices, it means better planning, clearer patching obligations, and a greater focus on resilience against cyber threats.
He adds a caveat: The law does not cover devices already on the market before the act took effect. This is where the challenge lies. Many hospitals still rely on older systems that pre-date these rules. They cannot simply discard them. Replacement cycles for imaging machines, for example, are often 10 to 15 years. In some cases, even longer.
So while the PATCH Act helps secure tomorrow’s devices, today’s risks remain.
Practical Steps For Today’s Environment
If you cannot replace an old device, you must protect it another way. This is where Reguly’s advice is clear.
First, never expose medical devices directly to the Internet. This is a simple but critical rule. The device should not be reachable from outside the organization’s network.
Second, segment the network. Place medical devices on their own dedicated network whenever possible. Limit the number of systems that can communicate with them. This reduces the chance that a compromise elsewhere will spread.
Third, implement strict access controls. Disable unused ports. Apply port security to ensure only approved devices can connect.
Fourth, use internal firewalls. Barriers between medical devices and other systems should exist even within a hospital’s own network.
Fifth, eliminate default credentials and disable any unauthenticated services. Many vulnerabilities are easy to exploit simply because the factory settings remain in place.
These steps are not glamorous or expensive. They are basic security hygiene, applied consistently. And they can significantly reduce the risk posed by unsupported or end-of-life medical equipment.
Patient Safety is the Ultimate Measure
This is not just an IT problem, Reguly explains, but an issue of patient safety. The same way we expect a sterile environment in an operating room, we should expect a secure environment for connected medical devices. An outdated MRI scanner may not cause harm by itself, but if it becomes an entry point for an attacker, the entire hospital network (and patient records) are at risk.
The PATCH Act is an important milestone. It holds manufacturers to higher standards and makes cybersecurity a built-in requirement rather than an afterthought. But the transition will take years. In the meantime, healthcare entities must take ownership of the devices already in service.
Start by assessing your inventory, he advises. Identify which devices are out of support. Review where they connect, how they communicate, and what controls are in place. For each one, ask a simple question: if this device were compromised, what could an attacker reach next?
Some answers will be uncomfortable. That is the point. Awareness is the first step toward reducing risk.
Shrink the Digital Attack Surface
Technology in healthcare is always advancing. Imaging devices are becoming faster and more precise. Implants are becoming smaller and smarter. Network connectivity brings enormous benefits for diagnosis, monitoring, and treatment. However, every connected device also becomes part of the hospital’s digital attack surface.
Two years in, the PATCH Act has started to shape how manufacturers design and maintain medical devices. But hospitals cannot wait for the full benefits to arrive. The old devices in service today need careful management and thoughtful security measures now.
The lesson from Reguly’s experience is simple. You may not be able to control the vendor’s support decisions, but you can control how devices are connected, accessed, and visible to potential attackers.
The goal is not to fear the technology. It is to respect it. That means keeping it isolated when necessary, patched when possible, and monitored at all times.
Because in healthcare, cybersecurity is not just about protecting systems. It is about protecting people.
If you work in healthcare IT, take the time this month to review your medical device inventory. Identify end-of-life equipment. Apply segmentation, access controls, and password changes immediately. Advocate for vendors to meet PATCH Act requirements, and push for budgets that prioritize replacing the most vulnerable systems. Patient safety depends on it.
Cybersecurity for Your Industry
Your industry is unique. Your cybersecurity stack should be, too. Fortra® offers cybersecurity solutions to meet the challenges and compliance requirements of industries around the world.
