> Generally poor security practices make it easier
This. Something people don't get about hospitals.... they LOVE IT. They are IT adopters, big time. You don't hear about the tech they adopt, because they are too busy adopting it to tell you about it. They have one fucking goal: Healthcare, and they aim to meet it.
When I worked in tech support for a hospital, I took tickets for desktop PCs sitting at bench that used to be used to solder core memory.
Security was never their concern until very very late. Their concern was always getting the job done. Their concern was that they have all these patients and know all these things that they could make better if they just had more data, just had better storage, just had...
These guys are not just using new systems, they have a massive technological legacy that they can't just shut down. They are not monolithic institutions under strong CEOs, they are massive sprawling systems of department heads and decision makers, all with their own budgets, own staff, own priorities. Their systems exist in data centers....and under desks, in utility rooms, in ERs and ORs, all over the place.
Its a huge mess. Its a huge mess because of years and years of history.