Microsoft will officially end updates and security support forย Windows 10ย onย October 14, 2025 completing a 10 year long run. After this date, standard editions of Windows 10 will no longer receive security patches, bug fixes, or technical support. While devices running Windows 10 will continue to function, the lack of updates raisesย significant cybersecurity and regulatory risksโparticularly for medical devices that depend on the operating system.
What Happens After October 2025?
- No More Security Patches: Newly discovered vulnerabilities will go unpatched, making systems a target for ransomware, malware, and nation-state attacks.
- One-Year Extension (Optional): Microsoft offers Extended Security Updates (ESU) until October 2026, but only as a temporary measure.
- Windows 10 IoT Enterprise LTSC: For embedded or critical systems like medical devices, the LTSC 2021 edition will receive support until January 2032, offering the longest possible lifeline.
FDA Cybersecurity Requirements
For medical device manufacturers, cybersecurity is not just a technical issueโit is a regulatory obligation under the U.S. Food and Drug Administration (FDA). The FDA expects device makers to manage cybersecurity risks throughout the device lifecycle, and the end of Windows 10 support directly affects that responsibility.
Key FDA Cybersecurity Expectations
- Secure Product Lifecycle Management
- The FDA requires manufacturers to design and maintain devices with resilience against evolving threats. Running an unsupported OS breaks this principle, since new vulnerabilities will remain unpatched.
- Threat Modeling & Risk Management
- FDA guidance emphasizes active threat modeling and ongoing risk assessments. Unsupported Windows 10 creates a permanent, unmitigable risk, which must be documented and addressed in risk files.
- Patchability & Software Updates
- Manufacturers are expected to provide security updates or compensating controls. Without Microsoft updates, device makers must either:
- Migrate to supported platforms (e.g., Windows 11 or Windows 10 LTSC), or
- Implement defensive compensating controls (e.g., network isolation, intrusion detection, application whitelisting).
- Manufacturers are expected to provide security updates or compensating controls. Without Microsoft updates, device makers must either:
- Postmarket Cybersecurity Responsibilities
- FDA 2016 postmarket guidance (aligned with 21 CFR Part 820 Quality System Regulation) requires manufacturers to monitor vulnerabilities and deploy fixes. If a device uses Windows 10 beyond October 2025 without extended support, it may no longer meet these postmarket obligations.
- Pre-market Submissions and Recertification
- Devices submitted for FDA clearance must demonstrate cybersecurity resilience. If a manufacturer intends to ship a device with Windows 10 after support ends, FDA reviewers will likely view it as noncompliant, requiring redesign or migration.
Practical Implications for Devices running on Windows 10
- Cybersecurity Risk
- Devices left on Windows 10 will be vulnerable to exploits, making hospitals and patients potential targets.
- Regulatory Non-Compliance
- Manufacturers cannot claim adherence to FDA cybersecurity expectations if devices run unsupported software. This may lead to:
- FDA requests for remediation plans
- Delays or denials in premarket clearance
- Increased liability in postmarket surveillance or recalls
- Manufacturers cannot claim adherence to FDA cybersecurity expectations if devices run unsupported software. This may lead to:
- Operational & Business Impact
- Healthcare providers may refuse to purchase or operate devices on unsupported Windows versions due to security and HIPAA compliance risks.
- Service contracts may need renegotiation to cover OS transition costs.
Options for Manufacturers and Healthcare Providers
| Path | Benefits | Challenges |
|---|---|---|
| Migrate to Windows 11 | Maintains ongoing security & compliance | Requires hardware/firmware compatibility and full revalidation |
| Purchase ESU (2025โ2026) | Buys time for transition | Short-term fix, costly per device, still requires eventual migration |
| Adopt Windows 10 IoT Enterprise LTSC | Supported until 2032, stable, minimal feature changes | Requires volume licensing, regulatory re-submission may be needed |
| Implement Compensating Controls | Can reduce risk short-term (segmentation, monitoring) | Does not eliminate FDA compliance gaps long-term |
Performing migration from one version of operating system to another may not be straightforward for many medical devices. Some devices may need to be reengineered to work with a new OS which may trigger new submission to regulators. This adds to the cost and time for both manufacturers and providers. Others may need elaborate testing and validation. Healthcare providers cannot upgrade those devices without manufacturers approval and/or validation.
This brings up the point of secure by design principles were medical devices need to be planned with the most secure option which typically in the case of Microsoft Windows is the long term support channel (LTSC) version. Approaching medical device development with limited to no dependency on underlying operating system is an important design practice to adopt.
Key Takeaways for Medical Device Manufacturers
- October 14, 2025 is the hard cutoff: after this, Windows 10 is a cybersecurity liability.
- Regulators and customers expect proactive cybersecurity risk management; unsupported OS usage will be difficult to justify.
- Short-term: Enroll devices in ESU through 2026 to stay patched.
- Long-term: Plan migration to Windows 11 or Windows 10 IoT Enterprise LTSC to maintain FDA compliance and protect patients.
- Start transition planning now if not already started: OS migrations in regulated environments require revalidation, updated risk documentation, and potentially FDA interaction.
Reference: https://www.microsoft.com/en-us/windows/end-of-support