The OneTouch Ping is 8 years old, and J&J says newer models with encryption technology are harder to hack. However, it's not just a malicious hacker that can do damage to medical devices.
Fu tells CNBC something as simple as malware, ("malicious software") loaded onto a USB drive or coming through a network connection can infect hospitals and "cause havoc."
"The bigger issue is really the continuity of operations of the hospital system," Fu said, and whether "they withstand malware of ten years ago that still breaks into medical devices."
Fu added: "The more interesting question is not whether you can hack into a device, but how well do those devices tolerate the kind of threats that are just endemic to computing today and endemic to the internet."
That risk covers "all sorts of devices that are in the hospital," Fu said. He mentioned infusion pumps that are bedside devices in hospitals. Plus defibrillators and pacemakers, patient monitors, and radiation therapy machines.
According to security firm Symantec, healthcare providers spend an average of less than 6 percent of their information technology budget on security. That compares to financial and banking institutions, which doles out an average of more than 13 percent, and the federal government, which spends 16 percent of its IT budget on security.
Earlier this year, the U.S. Food and Drug Administration issued draft guidance to medical device manufacturers on how to address the evolving cyber threat.
In a written response, the FDA told CNBC they have "expanded the scope of its work in cybersecurity over the past several years. We have worked diligently to bring the health care community together to propose and implement shared solutions to addressing cybersecurity concerns," the agency added.
Fu acknowledged the FDA's work, but said far more needed to be done. "I think manufacturers will be improving, but it's not going to be an overnight fix."
Threat or no threat, Fu believes the benefits of advanced medical devices far outweigh the risk of any cyberattack.
"Personally, I think patients are far safer with these devices than not," he said. Still, "the patient should talk with their physician. The risk/benefit decision has to be made between the particular patient and the particular physician."