Security is a tough sell. Nobody really wants to pay for security anymore than they want to pay for insurance. We recently became involved with a security project for a medical device company. In essence, they wanted us to help design a system which would enforce a single-use policy for an electronic consumable. We designed a rather elegant system which encorporates cryptographic modules which authenticate via the use of cryptographic keys. This charged us, and we decided to move forward in pursuit of medical device manufacturers who we suspected would surely love this capability. Surprisingly, despite the interest, very few medical device companies have considered security in medical devices in any noteworthy manner.
To most companies, and medical device companies are no exception, security is only considered as a solution to problem. Once a company has had to deal with the pain of not having security, then they are willing to spend the time and money to fix the problem. Unfortunately, security cannot be added to a design very easily. It has to be built in from the beginning. Voting machine companies are feeling this pain right now.
Medical device companies are, in essence, waiting for the "train wreck" to happen. Then, and (in most cases) only then will they decide to build security into their products. Most of our business comes from clients who have either been on the train when it wrecked, caused the train wreck, or are close to someone who has been involved in a train wreck.
An ounce of prevention is worth a pound of cure.