It's no surprise that healthcare facilities have bad cybersecurity policy, but few would have suspected it's this bad. Hackers can steal patient records or trick doctors into administering lethal drug overdoses. All it takes is a USB stick.

Researchers from the Independent Security Evaluators have released the results of a two-year investigation meant to examine the vulnerabilities in 12 healthcare facilities, two data centers, two live medical devices and a range of web applications. By dropping 18 infected USB drives near computer terminals and waiting for medical professionals to plug them in, researchers were able to access critical systems including patient monitors. From there, they could initiate false alarms or replace patient readings, which indicate how much medicine an individual should be given.

“On a disconnected network segment, our team demonstrated an authentication bypass attack to gain access to the patient monitor in question, and instructed it to perform a variety of disruptive tasks, such as sounding false alarms, displaying incorrect patient vitals and disabling the alarm,” the team wrote, reported the Register Thursday. “This attack would have been possible against all medical devices ... likely preventing assistance and resulting in the death or serious injury of patients.”

The survey comes after a number of serious data breaches and cyberattacks on health insurance providers, hospitals and other targets trusted with sensitive patient information. The most recent, an attack on a California hospital, left administrators no choice but to pay a $17,000 ransom fee to regain access to health records and return the hospital internet system back to normal functioning.