99% Of Healthcare Orgs Managing IoMT Devices with Known Exploited Vulnerabilities
A recent analysis of connected medical devices, patient systems, and operational technology (OT) in hospitals and other healthcare delivery organizations (HDOs) has revealed an alarming number of devices and systems have vulnerabilities that could be exploited by threat actors to gain access to healthcare networks and sensitive patient data. Russian cybercrime groups and other financially motivated threat actors are targeting healthcare organizations because they are viewed as easy targets. They typically have a large attack surface, security weaknesses in their core infrastructure, and due to the need to maintain high levels of patient care and have constant access to patient data, they are viewed as the critical infrastructure most likely to pay a ransom demand.
The industrial cybersecurity platform provider Claroty analyzed more than 2.25 million Internet of Medical Things (IoMT) devices and more than 647,000 OT devices at 351 healthcare organizations, and the findings were published in its State of CPS Security: Healthcare Exposures 2025 report. Claroty found that 89% of healthcare organizations are running medical systems vulnerable to publicly available exploits, and 99% of hospitals and HDOs are managing IoMT devices with known exploited vulnerabilities (KEVs), with 96% of those organizations having KEVs linked to ransomware campaigns.
IoMT devices include imaging systems, patient devices, surgical devices, hospital information systems, and clinical IoT. Claroty determined that imaging systems such as MRI, ultrasound, CT scans, and X-ray were the most at risk. 28% of imaging systems analyzed by Claroty contained KEVs, with 11% having KEVs linked to ransomware campaigns. 8% of those imaging systems had KEVs linked to ransomware and insecure connectivity, making them an easy target for ransomware actors. 99% of organizations in the Claroty dataset were running vulnerable imaging systems.
Claroty also found that 20% of hospital information systems used to manage clinical data and administrative and financial information contained KEVs linked to ransomware groups, and these systems were also commonly insecurely connected to the Internet. OT devices can also provide an easy access point for cybercriminals, which at HDOs can include building automation devices and controllers, uninterruptible power supplies, temperature sensors, and power distribution units. If these devices and systems are compromised they can cause major disruption to hospital operations and patient care. For instance, compromised building management systems could make it impossible to store temperature-sensitive medications such as insulin, while disruption to elevators could easily result in unacceptable delays to patient care. Claority found 11,693 (2%) OT devices had confirmed KEVs, with 3,004 having KEVs linked to ransomware groups, and 4,731 devices had insecure connectivity.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
HDOs often have a large attack surface, and while efforts to reduce the attack surface through a vulnerability management program can help to reduce risk, exclusively focusing on vulnerability management means other critical exposures may be ignored, and they can be just as serious. For instance, poorly connected systems, default passwords, hardcoded credentials, and insecure protocols allowing cleartext communication between users, devices, and the cloud can all be exploited by threat actors.
Claroty recommends adopting an exposure management-driven approach, which includes compensating controls to reduce risk, in particular around vulnerable medical devices that require Food and Drug Administration (FDA) approval before software patches and firmware updates are implemented. In the report, Claroty suggests a 5-step action plan that serves as a strategic framework that goes beyond vulnerability management and gives cybersecurity teams and asset owners a true assessment of their security posture.
