"Within wireless distance of you, the number of attackers is necessarily pretty small," Kaminsky said. "It's not to say the devices can't be attacked. They can be. ... It is something for the implant device [user] to think about it."
Kaminsky said he would be more concerned about monitors -- such as heart monitors -- in hospitals. Security experts found that the conficker worm that struck in March 2009 infected life-saving machines in hospitals, according to Kaminsky.
But, "in general, the most likely attacks against the medical system are that you always have to follow the money, or are going to be disclosures of medical information," said Kaminsky.
Having software vulnerable to attacks is not unique to manufacturers of medical devices, Kaminsky said adding that software engineers often focus on quality or speed rather than security.
"There's a lot of coming to terms with this new engineering requirement of security, just as power people had to come to terms with being green [energy efficient]," said Kaminsky.
Indeed, the FDA already has issued guidance drafts regarding cyber security, according to FDA spokeswoman Peper Long.
The FDA has not heard reports of malicious attacks on pacemakers, ICDs or insulin pumps, Long said.
"We haven't seen adverse events data that indicate that this is happening on a widespread basis," she said. But, "we certainly share the concern about device privacy and security."
Medtronic, a major manufacturer of ICDs, said in a statement that the company "believes[s] the risk of deliberate, malicious, or unauthorized manipulation of an implantable device is extremely low."
"In fact, to our knowledge, there has never been a single reported incident of such an event outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of implants worldwide," the statement said.
Still, the company said it would "welcome the opportunity to work with the FDA, health care practitioners, and other medical device manufacturers to define and establish formal device security guidelines."
The Advanced Medical Technology Association put out a similar prepared statement in response to the New England Journal of Medicine article.
"Medical device manufacturers are committed to patient safety and take seriously any threats to patient care and privacy no matter how remote or unlikely the scenario," said Janet Trunzo, executive vice president of technology and regulatory affairs for the association, in the group's statement.
Still, computer security experts say most software engineers need to think ahead before designing a device and to think critically about the risk and probability of an attack, rather than to dwell on the track records of the past.
"Most of the security researchers agree that security cannot be added on," said Mustaque Ahamad, director of the Georgia Tech Information Security Center in Atlanta.
Ahamad said most parties involved -- from doctors to the FDA and manufacturers -- will have to work together to determine a level of security. Moreover, every extra measure of security will add cost to the life-saving device.
"In security, we have something called threat modeling," Ahamad said. "There is always a sort of debate about what is a real threat and what is possible. But the risk is so low that we're not going to worry about it."