Healthcare’s alarming cybersecurity reality – Help Net Security

89% of healthcare organizations have the top 1% of riskiest Internet of Medical Things (IoMT) devices – which contain known exploitable vulnerabilities (KEVs) linked to active ransomware campaigns as well as an insecure connection to the internet – on their networks, according to Claroty. These figures represent a highly targeted, critical area where most security teams should prioritize their remediation efforts.

The report is based on an analysis of over 2.25 million IoMT and 647,000 operational technology (OT) devices across 351 healthcare organizations.

Security flaws in IoMT devices threaten healthcare organizations

The cyberattacks landing on healthcare delivery organizations (HDOs) and other entities is one part of the barrage of risks CISOs face in the sector, whose one guiding goal is the preservation of patient safety and the uninterrupted availability of patient care. CISOs are saddled with managing fleets of outdated, legacy technology that are riddled with security vulnerabilities on operating systems and other technology that their respective vendors no longer support.

Patching, meanwhile, is largely out of the hands of security leaders; CISOs must sit and watch the perpetual tug-of-war between medical device manufacturers and the U.S. Food and Drug Administration (FDA), which is responsible for the validation of any cybersecurity-related changes made to medical devices. Risk piles up and the attack surface of HDO networks grows as more so-called internet of medical things (IoMT) devices are connected to the internet, many of which were never designed with cybersecurity in mind.

9% of IoMT devices contain confirmed KEVs in their systems, impacting 99% of organizations. 8% of imaging systems (X-rays, CT scans, MRI, ultrasound, and more) have KEVs linked to ransomware and insecure internet connectivity—making this the riskiest medical device category—impacting 85% of organizations.

20% of hospital information systems (HIS), which manage clinical patient data, as well as administrative and financial information, have KEVs linked to ransomware and insecure internet connectivity, impacting 58% of organizations.

Cybercrime syndicates prey on hospitals

Russian cybercrime gangs, among other profit-seeking outfits, have cold-heartedly taken aim at hospitals. Their strategy is clear: given the cybersecurity weaknesses in core infrastructure at hospitals and organizations’ need to maintain adequate levels of patient care, HDOs are considered among the critical infrastructure targets most likely to meet most ransom demands.

Ransomware groups, meanwhile, are employing more than malware that encrypts critical systems and files. Double-extortion attacks are the norm in 2025 with attackers stealing credentials and leveraging a host of vulnerabilities on internet-facing applications and systems to gain an initial foothold on a hospital network.

Two Russia-affiliated groups in particular, Black Basta and BlackCat/ALPHV, are believed responsible for 2024’s largest breaches in the healthcare sector: the attacks on Ascension and Change Healthcare, respectively.

78% of organizations taking part in the survey reported ransomware payments of $500,000 USD or more. 39% met ransom demands of between $1 million and $5 million.

Attackers are targeting not only hospitals, but the supply chain, payment processors, and other third-party organizations in the sector. Geopolitics is part of the picture as well; state-affiliated actors and cybercrime gangs collaborate and provide tacit support to meet their objectives, whether it’s profit or sowing mistrust in the healthcare sector.

IoMT vulnerabilities put hospitals at risk

The use of connected surgical devices is growing within hospitals. Ideally, there should be zero vulnerabilities in any of these systems, but they all run on software and firmware with code written by fallible humans. And while the numbers of at-risk devices here are relatively small, these are highly consequential exposures that if compromised in an attack and are unavailable, represent a real threat to patient care and wellbeing.

IoMT devices, especially those running on legacy Windows and Linux operating systems that may no longer be supported with security or feature updates, are
at particular risk. A large percentage of the organizations that are managing these at-risk devices also have insecurely connected these devices to the internet.

Connected devices are an increasingly indispensable necessity in healthcare, and organizations must understand the ramifications of insecure access. 93% of organizations have confirmed KEVs and insecure internet connections for IoMT.

“Hospitals are under immense pressure to digitally transform while ensuring the security of critical systems that support patient care,” said Ty Greenhalgh, Industry Principal for Healthcare at Claroty. “Cybercriminals, especially ransomware groups, exploit outdated technology and insecure connectivity to gain footholds in hospital networks. To counter these threats, healthcare security leaders must take an exposure-centric approach—prioritizing the most critical vulnerabilities and aligning remediation efforts with industry guidelines like the HHS’ HPH Cyber Performance Goals—to protect patient safety and ensure operational continuity.”