Re: Is it that hard
The problem is not lack of doctors with an infosec background, although that's true enough. The problem is that updating the code on the device throws you back into the FDA black-hole until you go through a very expensive certification process. Changing the firmware is not a simple thing as changing the code makes it a "new" device.
I've seen this with pretty much anything you can care to think of in the medical field. The legal system needs to be "adjusted" to this type of situation. And that's ignoring entirely the medical liability that can occur around these types of changes. I consider that a wash since the "old" code is a ticking liability time bomb, however I'm pretty confident that the companies legal team has a contrary view on liability. After all, the FDA approved that old code.
