Blog Findings From Claroty’s 2025 Healthcare Exposures Report: 650,000 OT Devices Analyzed

The Internet of Medical Things (IoMT), a critical component of modern technology-enabled healthcare, is expanding rapidly—but so is its attack surface. As hospitals increasingly embrace digital transformation, risks also escalate. Modern healthcare is definitively digital and connected medical devices that now underpin modern healthcare are operational technology (OT), presenting unique defensive challenges.

In a 2025 analysis by Claroty, more than 2.25 million IoMT devices and over 647,000 operational technology (OT) devices were assessed across 351 healthcare organizations. The findings were staggering: 99% of organizations had devices affected by Known Exploited Vulnerabilities (KEVs). Even more alarming, 89% of IoMT devices were also insecurely connected to the internet, in addition to having exploitable vulnerabilities, exposing hospitals to potential ransomware attacks, data breaches, and operational disruptions.

This article explores the implications of these findings, the unique risks posed by IoMT and OT in healthcare settings, and what organizations can do to address these urgent security gaps.

What is Internet of Medical Things (IoMT) Technology?

Internet of Medical Things (IoMT) refers to medical devices and healthcare systems that communicate over networks to collect, analyze, and transmit health data. These devices range from wearable sensors and infusion pumps to imaging systems, smart beds, and patient monitoring tools.

The term gained traction throughout industry reports and analyst groups like Forbes, Deloitte, Frost & Sullivan, and IDC, who began tracking IoMT as a market segment around a decade ago. The global Internet of Medical Things (IoMT) market is expected to grow at a strong compound annual growth rate (CAGR) through 2034, driven by telemedicine, remote monitoring, and AI integration.

IoMT includes devices such as:

• Medical-grade devices with network capabilities (e.g., insulin pumps, CT scanners, ECG monitors)

• Wearables for health monitoring (e.g., smartwatches with ECG, fitness trackers integrated into hospital systems)

• Remote care systems (e.g., telehealth-connected stethoscopes, virtual ICUs)

• In-hospital connected devices (e.g., infusion pumps connected to EHR, location-tracked beds)

IoMT does not include:

• Consumer-only health devices not used in clinical contexts (e.g., fitness trackers without integration into medical systems)

• Non-healthcare IoT such as HVAC systems, though these are considered OT (Operational Technology) and may coexist within the same hospital networks

• Administrative IT systems not directly involved in patient care (e.g., billing software)

Findings From Claroty’s State of CPS Security: Healthcare Exposures 2025 Report

Claroty’s 2025 report on Healthcare exposures reveals the startling extent of security gaps across connected medical and operational systems. The findings offer a data-driven view into how healthcare delivery organizations (HDOs) are increasingly exposed to ransomware, exploited vulnerabilities, and insecure network configurations. Here are some highlights from the report:

Insecure Connectivity is a Critical Threat Vector

Claroty’s analysis found that 89% of IoMT devices were not only vulnerable to Known Exploited Vulnerabilities (KEVs) but also had insecure network connectivity. This dangerous combination significantly increases the likelihood of compromise by remote attackers, who can exploit weak or unauthenticated interfaces to deliver ransomware, steal patient data, or disrupt critical care operations. Insecure connectivity remains one of the most urgent and addressable attack vectors in modern hospitals.

• Unencrypted Protocols: Devices that transmit data using unencrypted protocols (e.g., HTTP, Telnet, or FTP) expose sensitive patient information and device commands to interception. Attackers can perform man-in-the-middle (MITM) attacks to eavesdrop on, alter, or hijack communications between devices and healthcare systems.

• Default or Hardcoded Passwords: Many IoMT and OT devices ship with default credentials or hardcoded admin passwords that are rarely changed. These credentials are often publicly documented or easily guessable, allowing attackers to gain unauthorized access and control over devices without needing to exploit software vulnerabilities.

• Listening Services / Open Ports: Listening network services (or open ports) can provide entry points for attackers to probe and exploit. If vulnerabilities are discovered in an exposed service, attackers can potentially gain full remote control of the device. Without segmentation and strict firewall rules, these ports can be discovered using tools like Nmap or Shodan, enabling remote exploitation, lateral movement, and direct attacks on hospital infrastructure.

Legacy Systems Widen the Attack Surface

IoMT devices frequently run on unsupported legacy operating systems (Windows/Linux), making patching and securing these systems difficult or impossible. Security teams can start by conducting detailed asset inventories to identify legacy systems and assess their exposure.

Where patching is not possible, compensating controls such as network segmentation, strict firewall rules, and zero-trust access policies should be implemented. Collaborating with biomedical engineers and device manufacturers can also help advocate for timely updates or safe decommissioning plans. Continuous monitoring for anomalous behavior on these devices is essential to detect early signs of compromise.

Ransomware and Double/Triple Extortion Are Rampant

The high value of medical records on the Dark Web significantly contributes to the prevalence of ransomware attacks targeting healthcare organizations. While credit card numbers typically sell for around $5, comprehensive patient health records can fetch up to $1,000 each due to the wealth of personal information they contain.

According to Claroty's findings, 96% of organizations had IoMT devices with KEVs linked specifically to ransomware operations, allowing sophisticated ransomware operators to find a high degree of success. Attackers like Black Basta and BlackCat/ALPHV are actively exploiting IoMT and OT vulnerabilities to encrypt systems, steal patient data, and demand ransom under the threat of public leaks (known as double extortion) or DDoS attacks.

High-Risk Device Categories

The following categories of devices were identified as carrying the highest risk due to the presence of Known Exploited Vulnerabilities (KEVs) and insecure connectivity:

• Imaging Systems: 8% of imaging systems were found to have ransomware-linked KEVs and are online-facing; 85% of healthcare delivery organizations (HDOs) are affected.

• Hospital Information Systems (HIS): 20% of these systems have KEVs and insecure internet connectivity, putting patient records and care continuity at risk.

• Patient Monitoring Devices: Although only 0.5% had the most severe exposures, this still represents thousands of critical endpoints vulnerable to manipulation.

• Surgical Devices: Despite their smaller numbers, even one compromised robotic surgical device can endanger patient lives and interrupt high-stakes procedures.

• Non-Medical Operational Technology (OT) Systems (e.g., BMS, UPS, elevators): 65% of these systems have KEVs and are internet-connected, offering attackers potential access points into the broader hospital network.

Recommendations for Improving IoMT Security

A strategic and layered approach is necessary to reduce exposure and improve the resilience of healthcare networks against IoMT-related threats.

• Scoping devices by criticality: Identify which medical and operational devices support critical care or life-sustaining services, so risk can be contextualized according to patient safety and clinical impact.

• Discovery and validation of exposure types: Conduct continuous inventory and validation to detect KEVs, insecure connectivity, default credentials, and other misconfigurations across IoMT and OT systems.

• Prioritizing risks linked to KEVs + insecure connectivity + ransomware: Focus remediation efforts on assets that have known exploited vulnerabilities, are accessible via the public internet, and are actively targeted by ransomware groups.

• Disabling unnecessary services and securing communications (e.g., certificates, encrypted protocols): Reduce the attack surface by turning off unused ports and services, and enforce secure, encrypted communication channels using TLS and valid digital certificates.

• Cross-functional collaboration: Biomedical, IT, and security teams need to share responsibility for IoT device security by coordinating patch management, secure configurations, and monitoring responsibilities across departments.

Conclusion

Healthcare organizations face a mounting security crisis as IoMT and OT devices grow in number and vulnerability. The elevated value of personal information contained in individual medical records adds fuel to fire and ransomware operators target healthcare institutions with veracity.

Claroty’s 2025 report underscores the urgency of adopting coordinated, risk-based defenses to protect patient safety and critical services. Proactive inventorying, segmentation, and cross-team collaboration are no longer optional—they are essential steps in closing dangerous gaps in the healthcare threat surface.