[johnklos]

Honestly, medical security is more theater than real security. The people with marketing prowess sell crap for much, much more of a markup to the medical world than to most other industries, excepting perhaps military, and just like many other areas, marketing has much more of an influence than actual security.

Pretty much all of my experience in medical security to date has been playing games to paper over horribly insecure defaults that should never have been considered in the first place. Companies would rather things that are known to be insecure that others are using, so everyone is in the same boat, so to speak, than to choose something demonstrably more secure that nobody else is using.

In other words, learn about marketing, marketing forces, and securing things after the fact.

[mriguy]

Lot of what you say rings true. I am involved in a project right now where the team members are trying to do the right thing from a development point of view. However the bureaucracy of centralized information security folks and paperwork based approach of the quality and regulatory folks makes it painful. Hence reaching out to this forum to see if anyone has a good experience of doing it right.