So are scanners etc being let off the hook by not being licenced like heart valves, glucose test strips, scales, treadmills etc or are manufacturers just keeping their fingers crossed.
Anything important or critical to life would be patched.
What it means is that (prior to WannaCry), they were not going to bother going through the entire re-certification process to implement SMB3 on the console. It worked as sold and as described.
The mood is now turning that they are going to be required to keep up with technology. If you sell a bit of hardware with a projected 10-20 year life span, you are going to have to port your software to newer OSs and patch for things like TLS/SMB version deprecations instead of requiring customers to keep old servers around to talk to your old XP-based consoles.
There are two aspects here - regulators need to require it and hold vendors accountable, but they also need to make their approval processes quick and streamlined.
You might be able to put your software through a ruinously expensive one-off testing and approval process the first time, but if the process is based around one-off approvals and is too difficult and expensive for things like point updates (e.g. disabling SMB1/implementing SMB3), then it won't get done. Ultimately the cost of that is borne by the customer (the hospitals), who have a finite budget. So the regulators need to ensure they're striking the right balance between being vigilant, but also letting vendors get updates out in a timely and cost-effective fashion.
Biting the hand that feeds IT
