[oneepic]

This may vary by hospital, but in general many hospital IT staff tend not to be very good with computers, from my experience. Many are more focused on business/bureaucracy, or maybe they're just unskilled. I don't mean to attack their character, but instead to make the point that some very unqualified people are in charge of very important systems.

(Edit: My first job was hospital IT for a few months, and my boss was actually a pretty skilled programmer with a good grasp on security. So there are definitely exceptions.)

I imagine not many hospitals hire security talent either, or that they do much security beyond the "change your password" email every 6 months. Oh, and doctors/nurses/etc tend to ignore those emails.

[sidlls]

Agreed with this. IT in hospitals is perpetually underfunded and basically a playground for creatures of corporate politics. Between administrative staff who think their medical credentials qualify them to micromanage IT decisions and perpetually under-funded departments I'm actually shocked that their systems aren't regularly crippled or destroyed by malicious entities.

Don't assume your medical data is secure. Systems that conform to HIPAA regulations are just one part of their computing infrastructure, and it's trivial to maliciously access a huge surface area outside of those specific pieces of hardware and software--and once a malicious actor has that access, it's not too hard to cross the gap.