According to a recent study of interconnected medical devices, operational technology (OT), and patient systems in hospitals and healthcare delivery organizations (HDOs), numerous devices and systems have vulnerabilities that threat actors could exploit to acquire access to healthcare systems and protected health information. Financially driven threat actors, including Russian cybercrime groups, are attacking healthcare companies as they are regarded as easy prey. They usually have a sizeable attack surface, weak core infrastructure, and constant access to patient data. Threat actors also deem these critical infrastructures as more likely to give ransom payment.
Claroty, a provider of industrial cybersecurity platforms, published the State of CPS Security: Healthcare Exposures 2025 report, which studied over 2.25 million Internet of Medical Things (IoMT) devices and over 647,000 OT devices used by 351 healthcare providers. According to the report, 89% of healthcare companies are using medical systems susceptible to publicly accessible exploits, and 99% of HDOs and hospitals are running IoMT devices that possess known exploited vulnerabilities (KEVs). 96% of those healthcare providers have KEVs connected to ransomware activities.
IoMT devices include patient devices, imaging systems, surgical equipment, clinical IoT, and hospital data systems. Claroty confirmed that imaging systems like ultrasound, X-ray, MRI, and CT scans were the most targeted. 28% of imaging systems reviewed by Claroty included KEVs, 11% of which are connected to ransomware campaigns. 8% of the imaging systems got KEVs connected to ransomware and vulnerable connectivity, allowing ransomware actors to easily target them. 99% of companies included in the Claroty dataset used insecure imaging systems.
Claroty likewise discovered that 20% of hospital information systems used to manage clinical data, as well as financial and administrative information, included KEVs associated with ransomware groups. These hospital information systems were likewise frequently connected to the insecure Internet. OT devices, such as uninterruptible power supplies, building automation devices and controllers, temperature sensors, and power distribution units, could also provide cybercriminals quick access. When these devices and systems are breached, they can result in disrupted hospital services and patient care. For example, breached building management systems can make it difficult to keep temperature-sensitive drugs like insulin. Elevator problems could quickly cause undesirable slowdowns to patient care. Claority discovered 11,693 or 2% of OT devices had KEVs, and the KEV of 3,004 devices are connected to ransomware groups, while 4,731 devices got vulnerable connectivity.
HDOs frequently have a big attack surface. A vulnerability management program can help minimize the attack surface to cut down risk, but solely concentrating on vulnerability management can lead to the disregard of other critical exposures. For example, threat actors can exploit poorly linked systems, hardcoded credentials, default passwords, and insecure protocols that enable cleartext communication among users, the cloud, and devices.
Claroty advises implementing an exposure management-driven strategy, including compensating controls to lessen risk, particularly around vulnerable medical devices that call for Food and Drug Administration (FDA) acceptance before implementing software patches and updates. In the report, Claroty recommends a 5-step action program that works as a tactical framework that goes past vulnerability management and offers cybersecurity squads and asset owners an accurate evaluation of their security standing.
