Thousands of critical medical systems, such as MRI machines, are available for hackers to access online, according to researchers.
Some 68,000 medical systems from a large unnamed US health group have been exposed, they said.
Security researchers Scott Erven and Mark Collao presented their findings at hacker conference Derbycon.
They also revealed that they had created fake medical devices which attracted thousands of hackers.
Interfaces connected to medical systems were available via search engine Shodan, the researchers told conference-goers.
The researchers used Shodan – a search engine specifically for internet-connected devices – to look for exposed software from a range of health treatment providers, such as radiology and paediatric clinics, as well as one large healthcare organisation.
They told tech news website the Register that they ended up with “thousands of misconfigurations and direct attack vectors”.
Hospitals whose networking equipment and administrative computers were exposed online risked attacks and the exposure of patient data, they said.
Such information would allow attackers to build up details on health organisations, including exact information about where medical devices were housed, they added.
Then it would be a case of “crafting an email and sending it to the guy who has access to that device with a payload that will run on the machine”, Mr Collao said.
Presenting their findings at hacking conference Derbycon, the researchers said they had reported dozens of vulnerabilities to big-name medical device manufacturers over the last year.
The pair also ran an experiment to illustrate how hackers were already targeting medical devices.
For six months, they ran fake MRI and defibrillator machines in the form of software which mimicked the real devices.
The two fake machines attracted tens of thousands of login attempts and some 299 attempts to download malware, the researchers said.
The fact that their “honeypot” devices attracted so much interest suggests that medical devices are a target for hackers, said security researcher Ken Munro.
He emphasised the need to make the real-life versions more secure.
“Medical devices should not be available on the public internet. They should be behind multiple layers of protection,” he said.
“Based on their research, we can see that hackers will have a go at devices that are clearly critical medical systems. That is scary, if unsurprising.
“What is even scarier is that the research shows that some medical devices have already been compromised.”