Legacy Medical Devices: The Ticking Time Bombs on Your Network

Somewhere in your hospital right now, there's an infusion pump running Windows XP. There's an MRI machine with an unpatched operating system that the manufacturer says you can't touch. There's a patient monitoring system connected to your network with default credentials that haven't been changed since installation.

You know about it. Your IT team knows about it. Everyone's been quietly hoping nobody exploits it before the capital budget cycle lets you replace it.

That hope is running out.

The scope of the problem

The average hospital has between 10,000 and 15,000 connected devices. Roughly 40% of those are medical devices. And a significant chunk of those medical devices are running on operating systems that are years past end of life.

This isn't because healthcare IT teams are lazy. It's because medical devices operate on fundamentally different lifecycle timelines than IT equipment. A server gets refreshed every five years. An MRI machine costs $3 million and has a useful life of 15 to 20 years. A lot happens in the cybersecurity world over 15 years.

When that MRI was installed in 2012, it ran on Windows 7, which was a current, supported operating system. Today, Windows 7 has been end-of-life for six years. Microsoft doesn't release security patches for it. Every vulnerability discovered since January 2020 is permanently exploitable on that device.

And you can't just update the operating system. The device is FDA-regulated. The manufacturer certified it on Windows 7. Upgrading the OS could void the warranty, violate the FDA clearance, and potentially affect patient safety. So it sits on your network, vulnerable, connected, and untouchable.

What attackers see

An attacker scanning your network doesn't see a $3 million MRI machine. They see a Windows 7 box with known vulnerabilities, no endpoint protection, and network access to other systems.

Legacy medical devices are perfect pivot points. They're often on flat networks with access to clinical systems, administrative networks, and sometimes the internet. They rarely have EDR agents installed. They don't get monitored by security tools. They're invisible to your SOC because nobody's collecting logs from them.

WannaCry proved this in 2017. The ransomware spread through EternalBlue, a Windows SMB vulnerability. Hospitals around the world got hit because their medical devices were running unpatched Windows and had network access that allowed the worm to spread. The UK's National Health Service was crippled. MRI machines, blood storage refrigerators, and patient monitoring systems all went down.

That was eight years ago. The fundamental problem hasn't changed. The devices are just older now.

The manufacturer problem

Medical device manufacturers bear significant responsibility for this mess, and they've been slow to accept it. Many manufacturers still ship devices with outdated operating systems, hardcoded passwords, and no mechanism for security updates.

When you ask the manufacturer about patching, the response is typically one of three things: "We'll release a security update in our next product version" (meaning you need to buy a new device). "Modifying the operating system will void the warranty." Or silence.

The FDA has started pushing back. Their 2023 guidance requires manufacturers to provide a software bill of materials (SBOM) and a plan for addressing vulnerabilities throughout the device lifecycle. But that guidance applies to new devices. The thousands of legacy devices already installed in hospitals across the country aren't covered.

You're on your own.

What you can actually do

You can't patch these devices. You probably can't replace them. But you can reduce the risk they pose to your organization.

Network segmentation is the single most important control. Get these devices off your flat network and into isolated segments. An infusion pump doesn't need access to your email server, your Active Directory, or the internet. Segment it so that if it's compromised, the attacker can't pivot to anything valuable.

This isn't as simple as creating a VLAN. You need to understand the data flows. That MRI machine needs to send images to your PACS server. The infusion pump needs to communicate with the pharmacy system. Map every data flow, allow only what's necessary, and block everything else.

Deploy network-based detection around these segments. You can't put EDR on a device running Windows XP, but you can monitor the network traffic going to and from it. Unusual outbound connections, port scans, or large data transfers from a medical device should trigger immediate alerts.

Maintain an accurate inventory. You can't protect what you don't know about. Every medical device on your network should be cataloged with its operating system, firmware version, known vulnerabilities, and network connectivity. This isn't a one-time project. Devices get added, moved, and reconfigured constantly.

Negotiate with your manufacturers. Push for security updates. Push for SBOMs. Push for clear guidance on what compensating controls you can implement without voiding the warranty. Document everything. If the manufacturer refuses to support security updates, that refusal should be in writing and factored into your risk assessment.

The budget conversation

Legacy device remediation costs money. Segmentation projects aren't cheap. Network monitoring tools add ongoing costs. And eventually, these devices need to be replaced with modern, securable alternatives.

The budget conversation with your leadership needs to be framed in terms of risk. A compromised medical device isn't just a cybersecurity incident. It's a patient safety incident. If an infusion pump is manipulated to deliver the wrong dosage, that's a clinical disaster. If patient monitoring systems go offline during a ransomware attack, people can die.

That's not hypothetical. It's happened.

The cost of doing nothing isn't zero. It's the cost of the breach that eventually comes through the device you knew was vulnerable and chose not to address.

GuardsArm specializes in healthcare network security, including legacy device risk assessment and segmentation planning. We help hospitals identify their most exposed devices, design segmentation architectures that don't break clinical workflows, and implement monitoring that covers the devices your EDR can't reach. If you've got devices on your network that keep you up at night, let's build a plan to contain the risk.