The PETRAS National Centre of Excellence for IoT Systems Cybersecurity has funded A UCL research project. As a result, UCL, in partnership with BSI, the UK National Standards Body, has published a White Paper entitled “The Future of Medical Device Regulation and Standards: Dealing with Critical Challenges for Connected, Intelligent Medical Devices”*
The White Paper states the gaps and opportunities for improvements in the current regulatory framework that connected, intelligent medical devices (CIMDs) create. While this insight is directed at regulators, manufacturers, software developers, clinicians, and researchers, this is exactly what supply chain managers, and regulatory compliance managers need to pay attention to at the end of life of their products. CIMDs include software-based medical devices and software as a medical device at the confluence of the Internet of Medical Things (IoMT) and artificial intelligence (AI).
While connected devices are being used in the medical and healthcare field more often, there are critical vulnerabilities pertaining to their cybersecurity and data governance practices. These can have serious consequences for patient privacy. The White Paper recommends a number of actions by standards development organizations, regulators, and international bodies in the context of widespread adoption of CIMDs in the healthcare sector.
“…technology vendors are limited in their ability to protect solutions developed without a security-first approach”
“The Future of Medical Device Regulation and Standards: Dealing with Critical Challenges for Connected, Intelligent Medical Devices”
Legacy Medical Devices
Page 44 of the white paper states that “The vast majority of medical devices and the supporting ICT and digital infrastructures in healthcare are considered “legacy systems” that cannot be patched due to expired software update policies, limited availability of alternative solutions, or certification requirements”. It goes on to say that legacy devices are particularly problematic for cybersecurity because they are inherently more vulnerable to cyberattacks and compromise. This is due to a number of things, but it states that “medical device malfunction, disruption of health care services (including treatment interventions), and inappropriate access to patient information”
Now here’s the problem:
While the white paper does discuss the problems associated with legacy medical devices, what it fails to do is offer any solution for disposal. The only nod towards a solution is found on page 45, which states, “…technology vendors are limited in their ability to protect solutions developed without a security-first approach”.
YES. SECURITY FIRST. Because if security isn’t first… what is? If security is the driving force behind what to do with obsolete devices, the solution is destruction. Destruction of any data, and disassembly, destruction, and recycling of the device. This security first approach does three very important things:
- It protects the patient. Any data that resides on the device will be destroyed and completely unrecoverable.
- It protects the manufacturer. Obsolete devices on the secondary market present a number of problems for manufacturers. Destroying the device gives full market control of new devices.
- It protects the Environment. Recycling responsibly is the only way to keep harmful material and toxins out of the waste stream.
Knowing that every component of the obsolete device is going to a vetted, environmentally compliant vendor with a “security-first” approach is the only way to ensure that your patients, your company, and the environment are safe.

* Mkwashi, A. and I. Brass (2022) The Future of Medical Device Regulation and Standards: Dealing with Critical Challenges for Connected, Intelligent Medical Devices. London: PETRAS National Centre of Excellent in IoT Systems Cybersecurity. Publication available at: https://petras-iot.org/wp-content/uploads/2021/06/White-Paper-The-Future-of-Medical-Device-Regulation-and-Standards.pdf. DOI: 10.5281/zenodo.7054049