Phil Englert recently highlighted an uncomfortable reality facing healthcare organizations: legacy medical devices remain one of the most significant cybersecurity risks in modern healthcare environments. Unsupported operating systems, limited security capabilities, patching challenges, and increasing cyber threats create a perfect storm for hospitals attempting to balance patient care, operational continuity, and cybersecurity.

The challenge is not new, but it is becoming more urgent.

Across healthcare environments, thousands of connected medical devices remain in service long after their original cybersecurity assumptions have become obsolete. Imaging systems, infusion pumps, patient monitoring equipment, laboratory devices, and specialized diagnostic systems often have operational lifespans measured in decades rather than years. Replacing them is rarely simple, affordable, or clinically practical.

The reality is that most healthcare organizations cannot simply rip and replace their legacy device estate.

The Real Problem Is Trust

Many discussions around medical device cybersecurity focus on vulnerabilities, patching, and network monitoring. These are all important. However, they often overlook a more fundamental issue:

Can you trust the device?

When a device connects to a hospital network, requests access to clinical systems, transmits patient data, or receives software updates, healthcare operators need confidence that:

• The device is authentic
• The device has not been tampered with
• The device is authorized to perform its intended function
• Communications are encrypted and trusted
• Access can be revoked if risk conditions change

Unfortunately, many legacy devices were never designed with these requirements in mind. They may lack modern encryption, secure authentication mechanisms, or support for contemporary security controls. As Phil Englert notes, these limitations can make them attractive targets for attackers and potential entry points into broader healthcare networks.

Visibility Alone Is Not Enough

Healthcare organizations have made significant investments in asset discovery and visibility platforms. Knowing what devices are connected to the network is an important first step.

However, visibility does not equal security.

A hospital may know that 500 infusion pumps and 200 imaging systems are present on the network, but questions still remain:

• Which devices have trusted identities?
• Which devices are using expired certificates?
• Which devices can still authenticate securely?
• Which devices are running software with known vulnerabilities?
• Which devices can prove their integrity before accessing critical systems?

Without answers to these questions, organizations remain exposed to both cyber risk and compliance challenges.

Moving Beyond Network-Centric Security

Traditional security approaches often focus on network location. If a device is on the correct network segment, it is generally trusted.

Zero Trust principles challenge this assumption.

Modern healthcare security requires trust decisions to be based on identity, device posture, and cryptographic verification rather than network location alone. This aligns with guidance from NIST and emerging healthcare cybersecurity expectations that increasingly emphasize identity-centric security and lifecycle management.

For medical devices, this means establishing a verifiable identity for every device, regardless of whether it was manufactured yesterday or fifteen years ago.

The Challenge of Legacy Devices

The difficulty is that many legacy devices were never provisioned with strong identities during manufacturing.

This creates a significant obstacle for healthcare operators who need to secure existing fleets without disrupting clinical operations.

An effective strategy must therefore address both:

• New devices entering service
• Existing brownfield and legacy devices already deployed across hospitals

Organizations need a way to establish trusted identities, automate credential management, and continuously validate device trustworthiness throughout the operational lifecycle.

Security Must Span the Entire Device Lifecycle

Healthcare cybersecurity is increasingly becoming a lifecycle challenge.

A medical device may remain operational for ten, fifteen, or even twenty years. During that time, certificates expire, cryptographic standards evolve, vulnerabilities emerge, ownership changes, and compliance requirements continue to grow.

Managing these processes manually at scale is simply not sustainable.

Healthcare providers require automated lifecycle management that can:

• Provision and maintain trusted device identities
• Automate certificate issuance, renewal, and revocation
• Support secure firmware and software updates
• Verify device integrity and trust status
• Generate audit evidence for compliance and governance requirements

This is particularly important as healthcare organizations face increasing scrutiny from regulators and insurers regarding cyber resilience and medical device security.

From Device Visibility to Device Trust

The next phase of healthcare cybersecurity is not simply discovering devices.

It is establishing trust in every device.

Healthcare providers need to move beyond inventories and vulnerability lists toward a model where every connected medical device can be identified, authenticated, monitored, and managed throughout its operational life.

At Device Authority, we believe this requires an identity-first approach built around Zero Trust principles, automated credential lifecycle management, and continuous device trust verification. This approach is particularly valuable for the large population of legacy and unmanaged devices that continue to support critical patient care but were never designed for today’s threat landscape.

Legacy medical devices may never completely disappear from healthcare environments. The question is no longer whether they present risk.

The question is whether organizations can establish trust, visibility, and control around them before attackers do.

Final Thought

Healthcare providers have spent years asking, “What devices do we have?”

The more important question for the next decade may be:

“Which of those devices can we actually trust?”

That shift from visibility to trust will define the future of medical device cybersecurity.