In this episode of Exploited: The Cyber Truth, host Paul Ducklin tackles a core challenge in healthcare cybersecurity: how can medical device manufacturers and healthcare organizations secure legacy systems and meet FDA expectations—without rewriting a single line of code?

Guests Phil Englert, VP of Medical Device Security at Health-ISAC, and Joe Saunders, CEO of RunSafe Security, bring decades of experience to a candid discussion on what practical, compliance-ready security looks like when device updates or patches aren’t an option.

They explore how to protect long-life medical devices with limited support, how to interpret and align with evolving FDA premarket and postmarket guidance, and how tools like SBOMs are reshaping transparency and accountability in the healthcare ecosystem. The conversation emphasizes the shared responsibility between manufacturers and providers to prioritize both cybersecurity and patient safety.

In this episode:

• What “security without code changes” really means in healthcare
• Why legacy medical devices are difficult to secure—and what still can be done
• The importance of SBOMs for transparency and visibility
• How evolving FDA expectations are influencing both manufacturers and providers
• Why cybersecurity and patient safety must now go hand in hand

If you're navigating regulatory demands or simply trying to protect vulnerable medical systems, this episode offers grounded insights and real-world strategies.