Nearly nine out of ten healthcare organisations have some of the riskiest internet of medical things (IoMT) devices containing known vulnerabilities, according to New York cyber-security company Claroty.

Based on analysis of over 2.25 million IoMT and 647,000-plus operational technology (OT) devices across 351 healthcare organisations, the report found 89% of organisations have the top 1% of riskiest IoMT devices, which contain known exploitable vulnerabilities (KEVs) linked to active ransomware campaigns as well as an insecure connection to the internet, on their networks. These figures represent a highly targeted, critical area where most security teams should prioritise their remediation efforts. 

As cyber attacks in the healthcare sector continue to rise in severity and the resources to prevent them remain limited, this report illuminates the medical assets at high risk for ransomware, extortion attacks and attacks exploiting insecure internet connections. Claroty’s Team82 analysed the problems that hospitals and healthcare delivery organisations (HDOs) face when identifying which vulnerabilities and exposures in medical and OT devices to prioritise for remediation.

The report details risk exposures in several key areas – hospital information systems (HIS) and, IoMT devices such as imaging, patient equipment and hospital OT systems. With disruptions to operational continuity and patient care delivery being key concerns, the report focused on a specific combination of medical device risk factors: the presence of KEVs, those KEVs being linked to ransomware and an insecure internet connection.

This represents an apex of exposures that together pose a real, imminent danger to healthcare organisations. These are the most accessible entry points for threat actors into a healthcare network, and were present in nearly every organisation analysed. Taking an exposure management-based approach to risk reduction yields a subset of devices that is manageable enough for organisations to prioritise actual, not theoretical, areas of risk.

Key findings include:

• 9% of IoMT devices contain confirmed KEVs in their systems, impacting 99% of organisations.
• 1% of IoMT devices carry KEVs linked to active ransomware campaigns and insecure internet connectivity, impacting 89% of organisations.
• 8% of imaging systems (x-rays, CT scans, MRI, ultrasound and more) have KEVs linked to ransomware and insecure internet connectivity, making this the riskiest medical device category impacting 85% of organisations. 
• 20% of HIS, which manage clinical patient data, as well as administrative and financial information, have KEVs linked to ransomware and insecure internet connectivity, impacting 58% of organisations.

“Hospitals are under immense pressure to digitally transform while ensuring the security of critical systems that support patient care,” said Ty Greenhalgh from Claroty. “Cyber criminals, especially ransomware groups, exploit outdated technology and insecure connectivity to gain footholds in hospital networks. To counter these threats, healthcare security leaders must take an exposure-centric approach, prioritising the most critical vulnerabilities and aligning remediation efforts with industry guidelines like the HHS’ HPH cyber performance goals, to protect patient safety and ensure operational continuity.”

To access Team82’s complete set of findings, analysis and recommended security measures, download the State of CPS Security: Healthcare Exposures 2025 report at claroty.com/resources/reports/state-of-cps-security-healthcare-exposures-2025.

The report is a snapshot of the vulnerability and exposure trends to IoMT and OT devices across the healthcare sector observed and analysed by Team82, Claroty’s threat research team, and data scientists. 

The Claroty (claroty.com) platform helps organisations reduce CPS (cyber physical system) risk, and is deployed by hundreds of organisations at thousands of sites globally. The company is headquartered in New York and has a presence in Europe, Asia-Pacific and Latin America.