Regarding the security of medical devices, there is a great talk from Charles Parker II that he held at GrrCON 2017 where he highlights a lot of things going wrong in this industry. Definitely worth the time.
Another great talk from this conference is 3rd Party data burns held by Aaron 'Finux' Finnon. He talks about what you can learn if you link all kinds of dataleaks together. This talk sent a shiver down my spine.
This is an area which is scary and the risks are growing. Life-safety issues will be a tipping point for public sentiment and will shift the expectations of cybersecurity. Check out my Top 3 areas of future cybersecurity risks in this blog: https://steemit.com/security/@mrosenquist/top-3-cybersecurity-concerns-are-wrong
The biggest security risk will always be the human. I think the most important thing today is to raise awareness. Everybody should be aware that no system is 100% safe. It is important that every employee of a company should question how and why things are done in certain ways.
In the end consumers have to be educated that they don't need all of their devices connected to the internet. Who needs a dishwasher that is connected?
IoT devices have their place, but they should be built with security in mind. Many of these devices are shipped with standard logins, the device should ask the user to change the password in the setup process.
With all things it is about managing to an optimal level of risk. If someone really wants to be alerted when their clothes are dry, so be it. But there are risks to be accepted or other controls/effort that may be part of the cost to have such notifications. Finding the balance between residual risk, costs, and usability is key.
It will be always a tradeoff, but I have the feeling that many IoT devices are pushed out to generate revenue in markets that aren't needed. Is it needed to get a push notification to know when your clothes are dry or your dishes are done? The manpower to implement these devices can be put to better use in other fields.