The devices aren't only vulnerable to hacking online. The researchers accessed the network of one unnamed health provider and found detailed information about more than 68,000 devices, including host names, a description of what the equipment does, its physical location in the hospital and the physicians assigned to it, Collao said.
Someone could easily use that information to craft a phishing attack -- a targeted email that tricks someone into opening a malicious attachment.
To get a sense of how actively hackers are targeting medical devices, Collao set up 10 "honeypots" -- computers that mimicked the appearance of medical systems to lure hackers. They attracted 55 successful logins, 24 exploits -- most using the MS09-067 Windows vulnerability -- and 299 samples of malware.
On the plus side, there was no evidence the hackers had targeted the devices specifically because they looked like medical systems, Collao said, but they're still being targeted.
"Next time you're in a hospital getting hooked up to a machine and you see an Ethernet cable going to the wall, it makes you think twice," he said.
Sign up for Computerworld eNewsletters.