It is a matter of whether the threat actor has sufficient resources (both staffing and financial resources) and the motivation. The real question is about the likelihood of a threat: an always-on internet-connected medical device will have a very different threat profile than a medical device that requires direct physical access.
Is my medical device vulnerable to cyber threats?
by