This past Sunday, The Wall Street Journal published an article discussing problems with the cyber security of medical devices. See, Evans, Melanie and Peter Loftus, "Rattled by Cyberattacks, Hospitals Push Device Makers to Improve Security", Wall Street Journal, May 12, 2019, available at https://www.wsj.com/articles/rattled-by-cyberattacks-hospitals-push-device-makers-to-improve-security-11557662400. The article referenced the results of a study by the Department of Health and Human Services, which shows there was a jump in data breaches in 2014. Before 2014, less than 1 million personal health records were breached each year. Since then at least 4 million records have been breached annually.
The problem is serious enough that surgeries were cancelled due to the WannaCry and NotPetya cyberattacks.
Hospitals often insist on having information about the proprietary software used to run medical devices. The FDA recommends that manufacturers disclose the software used in medical devices to the hospitals that purchase them, and contracts are requiring disclosure as well as the ability to run penetration attacks.