If a hospital computer system can be taken down because of user and IT carelessness
But this has pretty much always been the case. and not just carelessness, but ignorance of the risks, or not even being aware of all aspects of the entire hospital.
For example a hospital could put in place very secure policies- strong WPA2 security on all wireless access points, authorized devices only connecting to open ethernet jacks, security audits about how necessary it is to connect a device to the network- for example that tablet they want to use to play games in the breakroom isn't going to be given access.
Even with the most careful policies, it's easy to miss things and have them snowball from there. Even with all the above policies in place.
For example during the switch over, they sweep the building to remove all open access points, they get rid of them, and it's deemed safe.
But it's easy to miss things. For example maybe, 15 years ago they tried to setup wireless networking the first time with a wireless G router but found it unreliable and gave up. But it never got disconnected; Furthermore, the problems during the initial install were because it was connected to a plug that due to odd wiring was hooked up to the same circuit as the breakroom light switch- a light which was off when they did the sweep, so they never saw that open network access point, but every day when the light is on, the router powers up and provides free access to the hospital network. Then one day your typical user- maybe with malware on their laptop or tablet that doesn't even know about it, connects to that network when they see it in the breakroom. They've just unknowingly circumvented all of the careful policies that were put in place by IT, by connecting to a open network that they figured was IT finally capitulating to their request to use the internet on their break without having to use their mobile data. And if the malware on that system is designed to spread across the network, it does so. It get's onto the system running the CAT scan system for example, but because of their policy they have an AV program which finds the malware and sends an alert to the IT administration.
But maybe a year previous when they installed that CAT system they found that t he device drivers kept being flagged by the AV software, so they've been receiving notifications from that system every day for the last year and started ignoring them, and today is no different, only that it isn't the device driver that set it off.
Or maybe the CAT machine is using AV software that doesn't see the malware at all, but the way the malware works prevents the CAT machine from being used reliably, or maybe the machine doesn't even boot anymore.
meanwhile, the malware infects other system across the hospital and it is only with the sudden influx of issues that IT even suspects something is amiss. By the time they are even able to confirm that it is in fact a malware infection it's already infected most of the systems, many of which are no longer usable.
All started because of a Router that was setup and forgotten in a utility closet 15 years ago on a switching circuit, paired with other factors that simply couldn't be reliably expected in advance.
