In the world of medical devices being in the cloud and applications on the interwebs, FDA has stepped up requirements for cybersecurity.   It's not just banking, your identity being hacked with your credits cards or tax retunrs, St. Jude and Medtronic were both hacked in 2014 (https://www.meddeviceonline.com/doc/hacked-medtronic-boston-scientific-st-jude-networks-suffer-cybersecurity-breaches-0001).

I think I first saw this way back in 2005 while I worked at pacemaker/defibrillator company being joked at in a cartoon showing Dick Cheney and his defibrillator being hacked forcing an arrhythmia.  It showed Dick Cheney signing a document in normal sinus rhythm and them bam - tachycardia.  And this was also an episode of Homeland (https//www.telegraph.co.uk/news/science/science-news/11212777/Terrorists-could-hack-pacemakers-like-in-Homeland-say-security-experts.html).

FDA and ISO are now highly depending on assessment of risk, and cybersecurity is not an exception.  FDA has released numerous guidance documents listed below where identifying your assets and assessing the threat risk and vulnerability of your systems is first and foremost.  

If you interface with the internet in anyway, be aware that you must address this in your premarket submissions or you for sure get a deficiency.

• Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices
• Guidance to Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software
  
  And don't forget post-marketing requirements:
• https://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm482022.pdf