The Register has an article on Usenix Enigma security conference, which includes discussion on medical device firmware security:
Terrible infections, bad practices, unclean kit – welcome to hospital IT
Medicine is world’s worst industry for data security, it seems
[…] Therein lies the problem, he said, in that the lead time for medical devices is so long that they are outdated in today’s security terms. He showed off a pacemaker that had a debug routine that could interrupt a heartbeat and was open to anyone. In some cases, medical devices themselves were a point of infection. One device manufacturer shipped out a malware-infected firmware update that contained 38 Trojans, which then spread throughout hospitals. […]
Full article:
http://www.theregister.co.uk/2016/01/25/the_worst_industry_for_keeping_it_systems_clean_medicine/
Firmware Security 