New Research from Claroty’s Team82 Highlights Riskiest Medical Device Exposures in Healthcare Environments
“State of CPS Security: Healthcare Exposures 2025” Highlights the Most Urgent Healthcare Device and Network Vulnerabilities, Including OT Risks in Hospitals
NEW YORK – March 26, 2025 – Claroty, the cyber-physical systems (CPS) protection company, today released new research on the riskiest exposures to connected medical devices most coveted for exploitation by adversaries. Based on analysis of over 2.25 million Internet of Medical Things (IoMT) and 647,000-plus operational technology (OT) devices across 351 healthcare organizations, the “State of CPS Security: Healthcare Exposures 2025” report found 89% of organizations have the top 1% of riskiest IoMT devices – which contain known exploitable vulnerabilities (KEVs) linked to active ransomware campaigns as well as an insecure connection to the internet – on their networks. These figures represent a highly targeted, critical area where most security teams should prioritize their remediation efforts.
As cyberattacks in the healthcare sector continue to rise in severity and the resources to prevent them remain limited, this report illuminates the medical assets at high risk for ransomware, extortion attacks, and attacks exploiting insecure internet connections. Claroty’s Team82 analyzed the challenges that hospitals and healthcare delivery organizations (HDOs) face when identifying which vulnerabilities and exposures in medical and OT devices to prioritize for remediation.
The report details risk exposures in several key areas—hospital information systems (HIS), IoMT devices like imaging, patient equipment, and hospital OT systems. With disruptions to operational continuity and patient care delivery being key concerns, the report focused on a specific combination of medical device risk factors: the presence of KEVs, those KEVs being linked to ransomware, and an insecure internet connection. This represents an apex of exposures that together pose a real, imminent danger to healthcare organizations. These are the most accessible entry points for threat actors into a healthcare network, and are present in nearly every organization analyzed. Taking an exposure management-based approach to risk reduction yields a subset of devices that is manageable enough for organizations to prioritize actual, not theoretical, areas of risk.
Key Findings:
9% of IoMT devices contain confirmed KEVs in their systems, impacting 99% of organizations.
1% of IoMT devices carry KEVs linked to active ransomware campaigns and insecure internet connectivity, impacting 89% of organizations.
8% of imaging systems (X-rays, CT scans, MRI, ultrasound, and more) have KEVs linked to ransomware and insecure internet connectivity—making this the riskiest medical device category—impacting 85% of organizations.
20% of HIS, which manage clinical patient data, as well as administrative and financial information, have KEVs linked to ransomware and insecure internet connectivity, impacting 58% of organizations.
“Hospitals are under immense pressure to digitally transform while ensuring the security of critical systems that support patient care,” said Ty Greenhalgh, Industry Principal for Healthcare at Claroty. “Cybercriminals, especially ransomware groups, exploit outdated technology and insecure connectivity to gain footholds in hospital networks. To counter these threats, healthcare security leaders must take an exposure-centric approach—prioritizing the most critical vulnerabilities and aligning remediation efforts with industry guidelines like the HHS’ HPH Cyber Performance Goals—to protect patient safety and ensure operational continuity.”
To access Team82’s complete set of findings, in-depth analysis, and recommended security measures, download the “State of CPS Security: Healthcare Exposures 2025” report.
Methodology
The “State of CPS Security: Healthcare Exposures 2025” report is a snapshot of the vulnerability and exposure trends to IoMT and OT devices across the healthcare sector observed and analyzed by Team82, Claroty’s threat research team, and our data scientists.
About Claroty
Claroty has redefined cyber-physical systems (CPS) protection with an unrivaled industry-centric platform built to secure mission-critical infrastructure. The Claroty Platform provides the deepest asset visibility and the broadest, built-for-CPS solution set in the market comprising exposure management, network protection, secure access, and threat detection – whether in the cloud with Claroty xDome or on-premise with Claroty Continuous Threat Detection (CTD). Backed by award-winning threat research and a breadth of technology alliances, The Claroty Platform enables organizations to effectively reduce CPS risk, with the fastest time-to-value and lower total cost of ownership. Claroty is deployed by hundreds of organizations at thousands of sites globally. The company is headquartered in New York City and has a presence in Europe, Asia-Pacific, and Latin America. To learn more, visit claroty.com.
