This is indeed amazingly naive. Security should never address a device alone but has to address the system it is part of. The size of the supply chain for medical devices, and the huge variety of medical/health use cases does mean this will be difficult to achieve. I'd note that whilst we have a set of CE marks for medical equipment the tests to be passed do not address security at all. Maybe we can work to make security tests and features for medical devices (including their software) be part of the Harmonised Standards that you have to comply with before placing equipment on the market? It'd be a step forward. I would suggest that we also need to be aware that current medical equipment marking does imply testing for safety in the right hands but that cyber enabled devices may overturn safety if hacked.
This is indeed amazingly naive. Security should never address a device alone but has to address the system it is part of. The size of the supply chain for medical devices, and the huge variety of medical/health use cases does mean this will be difficult to achieve. I'd note that whilst we have a set of CE marks for medical equipment the tests to be passed do not address security at all. Maybe we can work to make security tests and features for medical devices (including their software) be part of the Harmonised Standards that you have to comply with before placing equipment on the market? It'd be a step forward. I would suggest that we also need to be aware that current medical equipment marking does imply testing for safety in the right hands but that cyber enabled devices may overturn safety if hacked.