FDA press spokeswoman Jennifer Rodriguez said that remains true more than a year later.
But Greg Martin, CTO of ThreatStream, said just because something hasn't happened yet doesn't mean it won't. "These days, hackers span a range of motivations from criminal, activist to potential terrorist," he said. "The risk cannot be ignored on a hunch. If the vulnerability exists, it will be exploited in the wild."
McGraw comes down somewhere in the middle of that debate -- he agrees that the risks are likely very small for those other than possible targets of assassination -- but he said that doesn't mean security shouldn't be a primary concern.
As connected medical devices proliferate, he said, the risks to average people may increase. The average person has a bank account, he noted, and if malicious hackers could gain control of a person's pacemaker, they could threaten to do him harm if he didn't send the money in his account to them.
Wright agrees that the trend is toward more danger for even the average patient. With medical devices becoming part of the Internet of Things (IoT), the risks are rising, he said, noting that cyber terrorists are attracted more by ways to harm people than they are to stealing information to make a profit.
Solving the security problem by hardening the devices will not be easy, however, since they are expensive, they are made to last for years without being updated, and if manufacturers modify them, they have to seek recertification from the FDA.
Wright argued that while it may be expensive to do security modifications, manufacturers can afford it, without passing the increase along to providers or patients. "They have the best profit margin in the market," he said. "So they can take 10% and put it back into security."
Kevin McAleavey, cofounder and chief architect of the KNOS Project and a malware expert, said he believes the devices should only be connected to, "a local, private network that doesn't connect outside of that network without at least something in between that can copy and paste any necessary information and then pass it across an air gap."
He also recommended that the devices have very low power, so their signal can't travel more than a few feet. "Most pacemakers are like this and use Bluetooth, so anyone who can access them pretty much has to be in the same room as the patient."
Heimerl said authentication doesn't need to be time consuming. He said he heard of a hospital that added passwords to all of its terminals and applications, and then gave an RFI badge reader with a built-in profile to each medical staff member.
Sign up for CIO Asia eNewsletters.