Security leaders face a strategic quandary: when should medical devices with known security flaws be replaced, and when is a change unnecessary?