IT Brief New Zealand - Technology news for CIOs & IT decision-makers
New Zealand
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Ransomware
#
Risk & Compliance
#
Cybersecurity

How to protect legacy medical devices from modern cyber threats

Yesterday
By Rashid Mohiuddin, Senior Security Consultant, Connected Health, Wavelink

Australia and New Zealand's (ANZ) healthcare sectors, like others globally, are experiencing rapid digitalisation, with connected medical devices playing a central role in patient care. However, many legacy medical devices, designed before cybersecurity became a priority, present significant risks to both patient safety and regulatory compliance. While these devices remain operationally critical, they were not built to withstand today's sophisticated cyber threats.

The overlooked vulnerabilities of legacy medical systems

Healthcare organisations in ANZ are under immense pressure to modernise and enhance patient care and system efficiency. However, legacy medical devices lack the security protections required to defend against ransomware attacks, zero-day vulnerabilities, and unauthorised access. Many older systems lack encryption and integration with modern cybersecurity tools, putting sensitive patient data and critical healthcare operations at risk.  

Beyond these direct threats, healthcare providers face additional challenges, including:

  • Outdated software

Many legacy systems in ANZ hospitals are no longer supported by manufacturers, meaning they don't receive essential security patches. This makes them vulnerable to known exploits that modern systems would block.  

  • High replacement costs

Replacing outdated medical devices is financially challenging, particularly for regional and rural hospitals with limited budgets. Many healthcare providers prioritise frontline services over expensive system upgrades, leading to continued reliance on vulnerable legacy technology.

  • Complex regulatory compliance

In Australia, the Therapeutic Goods Administration (TGA) enforces stringent safety and security standards for medical devices through a risk-based regulatory framework. Legacy devices often lack modern cybersecurity features, making compliance difficult. Firmware updates and vulnerability patches may also require additional regulatory approvals, delaying implementation.

In New Zealand, Medsafe regulates medical devices under the Medicines Act 1981, ensuring their safety and quality. However, healthcare cybersecurity policies are also guided by national government-led initiatives, including the Cyber Security Strategy 2019 and the Health Information Security Framework. These frameworks require healthcare organisations to implement robust security measures to protect sensitive data and critical infrastructure. This is particularly challenging when dealing with outdated medical technology, which often lacks modern cybersecurity features.

  • Documentation and reporting

Regulatory bodies across ANZ require healthcare providers to maintain detailed documentation of medical device security measures and report incidents promptly. However, legacy devices were not designed with modern security and compliance requirements in mind, making it difficult for healthcare providers to meet regulatory obligations.

Adopting a risk-based approach to securing legacy medical devices

A risk-based approach to medical device vulnerability management is key to addressing these cybersecurity challenges. This strategy helps healthcare organisations prioritise security measures for the most critical and high-risk devices while maintaining operational continuity.

Medical devices in hospitals range from imaging systems and infusion pumps to remote patient monitoring equipment. A cyberattack on any of these devices could compromise patient safety, disrupt hospital operations, and violate privacy regulations.  

There are six key steps that healthcare providers across ANZ can follow to implement an effective vulnerability management framework:

Step 1: Discover and identify devices

Use automated discovery tools to identify all medical devices connected to hospital networks. Capture details such as device type, manufacturer, IP address, and software version. Full network visibility is crucial for informed decision-making in risk management.

Step 2: Maintain a real-time device inventory

Create and regularly update an inventory of all medical devices, tracking software versions, security status, and known vulnerabilities. This helps with ongoing monitoring and highlights devices nearing end-of-life that may require upgrades or additional security measures.

Step 3: Identify and assess vulnerabilities

Use common vulnerabilities and exposures (CVE) databases and automated vulnerability scanning tools to detect security weaknesses. These tools provide real-time updates on emerging threats, helping IT teams identify devices that require immediate attention.

Step 4: Prioritise and address critical threats

Rank vulnerabilities based on their threat severity. Healthcare organisations can leverage frameworks like the known exploited vulnerabilities (KEV) catalogue to focus on active cyber threats and the exploit prediction scoring system (EPSS) to assess the likelihood of an exploit being used in an attack. This prioritisation lets security teams allocate resources to mitigate the most pressing security risks first.

Step 5: Apply virtual patching for legacy devices

For legacy devices that no longer receive manufacturer updates, virtual patching can block known exploits without modifying the device's original software. This provides real-time protection while maintaining device functionality.

Step 6: Implement network segmentation

Isolating legacy medical devices from the broader hospital network limits the potential impact of cyberattacks. Healthcare organisations can minimise exposure to external threats by restricting direct internet access and placing older devices in dedicated network segments.

Securing the future of patient care

While digital transformation has significantly improved patient care, it has also introduced heightened cybersecurity risks, particularly for legacy medical devices. A risk-based vulnerability management strategy lets healthcare providers protect critical devices while maintaining compliance with evolving cybersecurity regulations.

Healthcare organisations can strengthen their defences against emerging threats by identifying, assessing, and mitigating security vulnerabilities. With new digital health technologies continuing to shape the future of patient care, prioritising cybersecurity today will ensure healthcare systems remain secure, resilient, and patient-focused.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Australian organisations have two key reasons to double down on data management
ManageEngine expands AD360 with over 100 new integrations
Sharesight unveils fintech tool to aid tax accountants
Tim Richardson joins InfoSum as first NZ team member
Amber Technology expands DPA Microphones partnership to NZ
Top stories
Twilio finds RCS adoption rising among mobile industry pros
Kore ai partners with Inception to advance AI solutions
Moveworks & Stack Overflow partner to enhance AI agents
SentinelOne tops Frost Radar for endpoint security in 2025
Elastic unveils upgrades for Elasticsearch on Google CPUs