The US Food & Drug Administration (FDA) has recently issued a final set of nonbinding recommendations on the digital security of medical devices. In a (pdf) document issued late last year, the FDA stated:
A growing number of medical devices are designed to be networked to facilitate patient care. Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats. The exploitation of vulnerabilities may represent a risk to health and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits. Proactively addressing cybersecurity risks in medical devices reduces the overall risk to health.
The FDA last issued set of recommendations for medical devices in October of 2014. Although the set of recommendations are nonbinding, the manufacturers are required to notify the FDA if a flaw in a device led to a patient being harmed.