> They probably ask more cybersecurity questions than any other group
And therein lies the problem. Ask lots of questions on paper, and you get something that is very secure on paper.
But if you want something actually secure, you need to do pentests, have a substantial bounty program, have the design+code inspected by security reviewers, etc.
That FDA review division does require that information and testing to be supplied with infusion pump testing. In fact, they are one of the few that routinely asks for substantial testing in repeated deficiency requests.
And therein lies the problem. Ask lots of questions on paper, and you get something that is very secure on paper.
But if you want something actually secure, you need to do pentests, have a substantial bounty program, have the design+code inspected by security reviewers, etc.