Claroty, a cyber-physical systems protection firm, analyzed over 2.25 million Internet of Medical Things (IoMT) devices and more than 647,000 operational technology (OT) devices across 351 healthcare organizations. Of these organizations in Claroty’s data set, confirmed known exploited vulnerabilities (KEVs) were found in 99 percent, while 20 percent of hospital information systems that manage clinical patient data, as well as administrative and financial information, contain KEVs linked to ransomware and are insecurely connected to the internet.
The study found that 89 percent of these healthcare organizations operate medical systems susceptible to publicly available exploits, including those used by ransomware groups, and are insecurely connected to the internet. Notably, the riskiest 1 percent of IoMT devices, which have KEVs linked to active ransomware campaigns, are present on these networks. The research highlights the most vulnerable exposures in connected medical devices that are highly sought after for exploitation by adversaries.
“The cyberattacks landing on HDOs and other entities is one part of the barrage of risks chief information security officers (CISOs) face in the sector, whose one guiding goal is the preservation of patient safety and the uninterrupted availability of patient care,” Claroty said in a report titled ‘State of CPS Security: Healthcare Exposures 2025’ released on Wednesday. “CISOs are saddled with managing fleets of outdated, legacy technology that are riddled with security vulnerabilities on operating systems and other technology that is no longer supported by their respective vendors.”
The Claroty report added that patching, meanwhile, is largely out of the hands of security leaders; CISOs must sit and watch the perpetual tug-of-war between medical device manufacturers and the U.S. Food and Drug Administration (FDA), which is responsible for the validation of any cybersecurity-related changes made to medical devices.
With risk piling up and the attack surface of healthcare delivery organization (HDO) networks growing as more IoMT devices are connected to the internet, many of which were never designed with cybersecurity in mind, organziations must focus on identifying those assets most in jeopardy, and demonstrate the number of devices burdened not only by KEVs, but those that are most at risk to ransomware and extortion attacks, and insecurely connected to the internet.
“Hospitals are under immense pressure to digitally transform while ensuring the security of critical systems that support patient care,” said Ty Greenhalgh, industry principal for healthcare at Claroty. “Cybercriminals, especially ransomware groups, exploit outdated technology and insecure connectivity to gain footholds in hospital networks. To counter these threats, healthcare security leaders must take an exposure-centric approach, prioritizing the most critical vulnerabilities and aligning remediation efforts with industry guidelines like the HHS’ HPH Cyber Performance Goals, to protect patient safety and ensure operational continuity.”
As of February 2025, the U.S. Department of Health and Human Services reported 884 incidents affecting healthcare providers. Since January 2023, including Change Healthcare, most of which are labeled either ‘hacking’ or ‘IT incidents’ against servers, electronic records systems, email, workstations, and more. The nature of these incidents puts hospitals and HDOs on notice to secure data in storage and transit, especially unencrypted data, the loss of which must be disclosed.
Claroty data detailed that in this critical sector, OT infrastructure is represented mostly by building automation devices, building management systems, building automation controllers, universal power supplies, temperature sensors, and power distribution units. Building management systems (BMS), for example, are used to monitor and control heating and cooling systems, electrical systems, elevators, lighting, fire safety, water distribution, pneumatic tube systems, and other medication transfer systems.
The research data noted that with regard “to the OT in our dataset, we can pare down the number of exposed devices from 2% of OT with confirmed KEVs down to 0.3% with confirmed KEVs linked to ransomware and insecure connectivity; those devices should be prioritized for remediation.”
“A compromised BMS could make it impossible to properly store medications, such as insulin, that must remain in temperature-controlled environments,” the report said. “Elevators are essential, not only for guests visiting patients, for transporting patients between floors for treatment, surgeries, or imaging. Any disruption or manipulation of these systems could be devastating to patient care and cause unacceptable delays.
We analyzed more than 647,000 OT devices in our dataset and found that 78% of organizations have OT with KEVs, and 65% are managing devices with confirmed KEVs and are also insecurely connected to the internet.”
It noted that insecure connectivity is a critical exposure as it relates to OT. “Exposed devices that are directly connected to the internet, or are accessible using a non-enterprise-grade remote access solution significantly amplifies risk. If these devices are connected via an open port to the internet, they are assigned an IP address and can be enumerated using a number of internet-scanning services such as Shodan.”
The research data revealed that “imaging systems—X-rays, CT scans, MRI, ultrasound, and more—are the individual device category most at risk. 8% of imaging systems carry KEVs linked to ransomware, and those devices are also insecurely connected online; 85% of HDOs in our data set are impacted.”
Recognizing that a successful cyberattack that impacts imaging systems can devastate triage efforts, and any re-routing of patients to other facilities because of an inability to conduct proper imaging can add significant delays to care and put lives at risk, Claroty reported that its dataset included more than 195,000 imaging devices, 28 percent (55,473) of which contain KEVs. “Like IoMT overall, we found vulnerable imaging systems in 99% of organizations within our dataset. Again, by looking at other exposures such as links to ransomware and insecure connectivity, we were able to prioritize remediation to the most exposed devices, which are 8% of imaging systems in our data set.”
Of the 351 organizations in Claroty’s data set, a large percentage of the organizations that are managing these at-risk devices also have insecurely connected these devices to the internet. “Connected devices are an increasingly indispensable necessity in healthcare, and organizations must understand the ramifications of insecure access. From our data, 93% of organizations have confirmed KEVs and insecure internet connections for IoMT.”
Furthermore, “when we add in KEVs linked to known ransomware, a slightly smaller percentage of organizations, 89%, are affected. Nonetheless, an overwhelming percentage of hospitals and HDOs contain exposures that can significantly impair patient care and well-being.”
Also, Claroty reported that 20 percent of hospital information systems that manage clinical patient data, as well as administrative and financial information, contain KEVs linked to ransomware and are insecurely connected to the internet. “These systems commonly run on Windows PCs, which are prevalent in hospitals. Needless to say, HIS are a rich target for adversaries, in particular those that favor extortion. A successful ransomware attack can encrypt vital systems and information, denying doctors access to patient records. Treatment may be delayed in these cases, which can endanger patients’ wellbeing, or patients may be rerouted to other facilities, again delaying treatment and introducing unacceptable risk to physical safety.”
“Within our dataset, for example, close to 5,600 HIS contain confirmed KEVs, which is a daunting number to assess and prioritize,” the research data revealed. “By adding other exposures to the calculus, cybersecurity and risk decision makers quickly get to a manageable number and percentage of devices in order to reduce risk to those most exposed. In this case, we’ve prioritized remediation for 20% of devices with confirmed KEVs linked to known ransomware and insecure connectivity, rather than 45%.”
Reducing a hospital’s or healthcare organization’s attack surface solely through a vulnerability management program overlooks critical exposures, such as poorly connected systems, ransomware linked to known vulnerabilities, default passwords, hardcoded credentials, and insecure communication protocols. Adversaries increasingly target the healthcare sector with ransomware and extortion attacks, threatening data theft and patient privacy. To mitigate risks and support digital transformation, healthcare organizations must adopt an exposure management approach that includes compensating controls, particularly for vulnerable medical devices that require Food and Drug Administration (FDA) approval for updates.
Claroty proposes a five-step action plan that acts as a strategic framework beyond traditional vulnerability management and presents cybersecurity decision-makers and asset owners with a true assessment of a hospital’s security posture and a remediation plan tailored for action by risk management teams and understandable by executives. This includes scoping of account for critical processes by device type and department; discovery by identifying devices, granular attributes, and communication; prioritization by follow a cybersecurity framework that considers the business impact and exploitability of exposures; validation that a full spectrum of exposures are real and externally reachable; and mobilization by reducing risk and secure operations with actionable mitigations and remediations.
“Cybersecurity threats within healthcare imperil patient care,” the report added. “Many hospitals in the throes of an incident have had to cancel non-emergency procedures, re-route patients to other facilities, and resort to updating patient records using pen-and-paper due to the unavailability of digitized patient records and other critical systems.”
