I was discussing this earlier as I do a lot of work in the healthcare field. The problem is that over the years so many vendors/manufacturers of medical devices gotten away with dictating to the clients (hospitals, etc..) what to use and when.
Now the issue of how to use and access the device has become an issue. The security weaknesses of medical devices have always been there (CAT Scan units that only run on NT or 98) Vendors refuse to patch later operating systems as well as they can't guarantee that the patch won't break the device.
These devices are networked now (wired and wireless) opening them up to a plethora of attacks. Vendors convince the users that the product increases productivity, etc... and it gets purchased. Many of then don't support enterprise encryption and access controls and require that WEP or WPA-PSK be used.
Next time you're in a hospital have a look and see how many access points you see or how many devices have a ethernet cable. The IV pump in the room is now networked and wireless.
Here is another device with issues:
http://blogs.zdnet.com/security/?p=896dean
General Certification : CPT Practical Submission
