In addition to getting access to patient files and information, the attackers managed to infiltrate devices such as radiology imaging software, conferencing systems, printers, firewalls, Web cameras and mail servers.

"What's concerning to us is the sheer lack of basic blocking and tackling within these organizations," said Sam Glines, chief executive of Norse. "Firewalls were on default settings. They used very simple passwords for devices. In some cases, an organization used the same password for everything.

"A decent percentage of these firms could have been eliminated from the data set if basic network and security protocol had been followed," he added.

Are firewalls too hard to use? Or are admins too lazy?

both... competent network admins are hard to find... also the decision to be open is made higher up on the chain: "waaa i don't want to have to remember a password!!! waaaa!!!!"

Haha. It is the crossroads of lazy and incompetent where attacks happen.  

Lovely, the hackers have found a new arena :(