Doctors \u2014 particularly the ones that work in emergency rooms \u2014 need to have strong stomachs and level heads, since they see illness and injury at their most serious. Violence, accidents and serious diseases are all a matter of routine in the ER.\nDr. Christian Dameff is a faculty member at UC San Diego\u2019s medical school, has seen all of that and more, since he\u2019s also a white-hat hacker and expert in medical IoT security. He warned the audience on Thursday at the Security of Things USA convention in San Diego that the state of that security is, frankly, alarming.\n+ALSO ON NETWORK WORLD: Windows Server in the cloud: Can you, should you, and with which provider? + HPE gives up the battle for tier 1 data center customers\nTechnology is a central underpinning of all modern medical treatment, according to Dameff. Many younger doctors have never worked with paper charts, or written paper prescriptions, or looked at x-rays on a lightbox \u2013 it\u2019s all digital.\n\u201cSoftware powers modern healthcare. It is as essential as antibiotics, x-rays and surgery combined.\u201d he said. \u201cWithout our technical systems, doctors today are essentially helpless for taking care of strokes, heart attacks and traumas.\u201d\nThere are two central issues, according to Dameff. Part of the problem is that the emphasis on security discussions in the medical field focus heavily on data security, mostly for regulatory reasons.\n\u201cWhen we talk about information security in healthcare, we talk about the HIPAA hammer,\u201d he said, \u201cbecause the fear of a HIPAA fine, and the fact that we have hundreds of data breaches every single year, has made this the focal point of your conversation.\u201d\nBut a bigger issue is that the connected devices used to automate and speed up the tasks of care required by modern medicine are cripplingly, astonishingly vulnerable to compromise by outside agents.\nThe problem has existed for a long time, Dameff said, but the 2011 story of Jay Radcliffe, a diabetic security expert who discovered that a connected insulin pump he used was trivially easy to hack, helped bring the scale of the problem to the public\u2019s attention.\n\u201cWhat surrounds the patient are dozens of wirelessly connected devices that are running legacy operating systems, that are unpatched, that have hard-coded credentials you can Google \u2013 that are controlling potent medications being infused into this patient that, if miscalculated or altered, can cause this patient to die. That is the state of modern healthcare IoT. We need to change it.\u201d\nDevice makers need to work with doctors directly, Dameff argued, in order to usher in a newly holistic approach to the creation of medical IoT gear.\n\u201cHave them help you identify points of your product that, if it should fail, would result in patient harm, not just a compromise of their medical health information,\u201d he said.\u201d\nHacked hospitals\nNor are connected devices the only way that poor security affects hospitals. Aging, unpatched IT systems are vulnerable to a huge array of known hacks, and notorious attacks like WannaCry can knock whole systems full of hospitals with custom hardware offline.\nFor the everyday user, this is a headache, but for a healthcare provider, it\u2019s a much more serious issue. Ransomware and denial of service kill people, Dameff stated, by inches \u2013 when the hospital\u2019s systems are down, it hinders urgent care, so patients suffering from heart attacks or strokes have their treatment delayed by crucial minutes or even hours. That can mean permanent disability or death.\n\u201cWe can\u2019t take care of stroke patients without functioning CT scanners. We just can\u2019t,\u201d he said.