You can't fix what you can't measure. Like the focus around device risk, securing nd encrypting remote accesses, patches and upgrades, cyber emergency response team. http://www.healthcareinfosecurity.com/bill-proposes-bolstering-medical-device-cybersecurity-a-10166 Would/should they also include penalties?
This recent whitepaper from ECRI speaks to what's covered in MediTechSafe whitepaper on June 15th. I am not sure to if IT leaders and others pay attention to Medical Devices! https://www.ecri.org/Resources/In_the_News/Cybersecurity_Its_Clinical_Too(Trustee).pdf