The researchers set up a fake MRI machine to test whether it would attract hackers Thousands of critical medical systems, such as MRI machines, are available for hackers to access online, according to researchers.
Some 68,000 medical systems from a large unnamed US health group have been exposed, they said.
Security researchers Scott Erven and Mark Collao presented their findings at hacker conference Derbycon.
They also revealed that they had created fake medical devices which attracted thousands of hackers.
Interfaces connected to medical systems were available via search engine Shodan, the researchers told conference-goers.
The researchers used Shodan - a search engine specifically for internet-connected devices - to look for exposed software from a range of health treatment providers, such as radiology and paediatric clinics, as well as one large healthcare organisation.