A report issued last year remains relevant today, especially on the heels of the recent attack on public internet DNS provider Dyn that effectively shut down 1/3 of the internet for a full day. This attack used personal home and business devices such as cameras and routers to perform a controlled, distributed and highly disruptive attack. Imagine if this same cyberattack profile was performed utilizing medical devices instead of home cameras and routers? Or, what if malware could be used to control a medical device and cause a pacemaker to effectively push the patient to death unless they pay the ransom?

These, and other, style of attacks are becoming more and more realistic as we move to an ever connected, yet highly insecure, IT infrastructure in healthcare.

The technical hurdles to create such ransomware are not high. "It's definitely feasible from a technical standpoint," medical device security researcher Billy Rios wrote in an email. "Given the urgency associated with these devices, I could see it as something that could happen next year. All that would be required from an attacker standpoint is small modifications to the malware to make it work."

Medical device ransomware would be a modern form of highway robbery with lives at stake. "People who say 'oh but no one would ever do that' fail to understand that on the internet, every sociopath is your next door neighbor," Corman said. "I am increasingly uncomfortable relying on the kindness of strangers everywhere on the planet."

"Assuming that no one would do this is naive," he added, "and assuming that organizations are capable of stopping it is unmerited trust."

Many medical devices are poorly written and maintained, as the DHS advisory linked below points out:

The cybersecurity of most medical devices is poor. A 2013 DHS advisory, based on research by Rios and colleague Terry McCorkle, warned that 300 medical devices made by 40 different manufacturers use hard-coded passwords—passwords that are set at the factory and cannot be changed by end users—easily discoverable by downloading the manual from the manufacturer.

Even scarier is the reality that our government understands and has been advising about the seriousness of this for quite some time now, yet the industry continues to drag its feet and act as if this couldn't happen to us.

In June, the FDA warned health care providers to stop using a drug pump due to a rudimentary cybersecurity flaw. And in September, researchers reported that honeypots pretending to be medical devices attracted more than 50,000 successful logins and nearly 300 malware payloads.

We've had an ere of "low-consequence" failure in public cybercrime:

"One could argue that most of the breaches you could name"—the OPM breach, Ashley Madison dump, the Sony hack—"didn't really do any harm," Corman said. "We've had an era of low-consequence failure, and that era is now over. The consequences now are life and limb and flesh and blood, and I'm not sure we're ready for that."