"As the staff approached the workstation, the application would log them on and preload the applications that the person put in their profile. They added great security, and the caregiver was required to enter only a three- or four-letter/digit PIN to finish the logon process -- so it was simple," he said.
Several experts said they think government needs to play a more explicit role. Heimerl wondered aloud about the FDA Safety Communication. Is it a mandate? Is it a regulatory requirement?"
McGraw said there is progress being made, however. "The good news is that very good people are working on it," he said, citing Kevin Fu, associate professor at the University of Michigan and director of the Archimedes Center for Medical Device Security, who moderated the recent NIST ISPAB discussion.
"Manufacturers want to do it," he added. "We don't have to convince them that there are issues."
But, he agreed that improving device security will be time consuming, costly and will never be perfect.
"A lot of people think security is a thing. It's a property," he said, and must be designed with expected threats in mind. Deciding on those threats is, "a trade off that every day the manufacturers and patients need to think about. Which one would you pick, and how much would you pay?
"There is no right answer," he said.
Sign up for CIO Asia eNewsletters.