Re: Oh fuck it, if it compiles then ship it
Yes, a 510K is required for a device like this (Class-III) prior to sale and use.
No, the FMEA would not necessarily outline risks due to network intrusion (but it'd be insane not to). It's up to the engineers to identify the risks, and if they don't have a security background ... well, no risks will be identified much less development of a mitigation strategy (like requiring VPN).
There is no required security auditing of medical software by anyone at any time. IME, properly managing a firewall is a bit beyond the typical knowledge level and skill of the people writing the code running these devices.