Hospitals, already overburdened by rising patient loads and aging infrastructure, are facing a mounting cyber crisis, and many don’t even know where the threat is coming from. According to explosive new research from Claroty’s Team82, some of the most commonly used medical devices in modern healthcare systems are also the most vulnerable, creating what experts now call a "perfect storm" for ransomware and extortion attacks.
In its newly released report, State of CPS Security: Healthcare Exposures 2025, Claroty analyzed over 2.25 million Internet of Medical Things (IoMT) devices and 647,000 operational technology (OT) systems across 351 healthcare organizations. The findings paint a stark picture: 89% of organizations house the riskiest 1% of devices, a small slice of systems disproportionately linked to real-world exploitation, ransomware campaigns, and dangerous internet exposure.
“Hospitals are under immense pressure to digitally transform while ensuring the security of critical systems that support patient care,” said Ty Greenhalgh, Industry Principal for Healthcare at Claroty. “Cybercriminals, especially ransomware groups, exploit outdated technology and insecure connectivity to gain footholds in hospital networks.”
A Digital Transformation, With No Safety Net
The healthcare sector's scramble toward digital modernization has introduced thousands of connected devices into clinical workflows, from imaging systems to patient monitoring tools. But many of these were never designed with security in mind.
Claroty’s report underscores how legacy systems and patching bottlenecks, often constrained by FDA regulations and vendor inertia, are leaving hospitals exposed. In fact, 99% of surveyed organizations had confirmed known exploited vulnerabilities (KEVs) somewhere in their network. What’s worse: many of these KEVs are not hypothetical risks. They’re actively used by ransomware gangs today.
Imaging Systems: A Silent, Expensive Target
While headlines often focus on breached electronic health records or ransomware-locked admin systems, the report spotlights a quieter, and more dangerous, vector: imaging equipment. These devices, which include CT scanners, MRIs, X-rays, and ultrasound machines, are integral to diagnostics and treatment planning.
Claroty’s research found that 8% of imaging systems carried KEVs linked to ransomware and were simultaneously exposed via insecure internet connectivity, affecting a staggering 85% of organizations. If these machines go down, so does core diagnostic capability.
This represents more than just a cybersecurity threat, it’s a potential disruption to patient care at its most fundamental level.
When Health Data Becomes Hostage
In one of the most eye-popping statistics from the report, 20% of hospital information systems (HIS), which handle everything from patient records to billing, were found to harbor ransomware-linked KEVs and insecure internet connections. These systems are the brain and bloodstream of any modern hospital.
The financial implications are already playing out. Last year’s ransomware attack on Change Healthcare, the industry’s largest revenue management platform, cost parent company UnitedHealth Group a jaw-dropping $3.1 billion. The ripple effects were felt across the sector, revealing just how brittle healthcare’s digital backbone has become.
Exposure Management: A Realistic Path Forward
Unlike traditional vulnerability management approaches that treat every CVE as equal, Claroty advocates for an “exposure-centric” strategy, one that filters for KEVs specifically tied to ransomware and real-world exploits, narrowing the focus to the most urgent threats.
“This isn’t about chasing theoretical risks,” said Greenhalgh. “It’s about aligning remediation efforts with what’s actually being weaponized, and doing it in accordance with frameworks like the HHS’ Cyber Performance Goals.”
For beleaguered healthcare CISOs, who often juggle compliance, legacy tech, and limited budgets, such a focus could mean the difference between surviving a cyberattack — or becoming its next headline.
The Bottom Line
Claroty’s latest report is more than a warning, it’s a call to action. With over 884 documented cyber incidents hitting healthcare providers since 2023, according to HHS data, the attack surface is only growing. The sector must act now to secure its most vulnerable and valuable assets.
Because in healthcare, every second counts. And in cybersecurity, every device left unprotected could be the one that shuts a hospital down.