Nearly 90% of medical organizations vulnerable to cyberattacks, report finds

Nearly 9 out of 10 healthcare organizations are running medical systems vulnerable to publicly available exploits — including those actively used by ransomware gangs — while simultaneously maintaining insecure internet connections, according to Claroty’s State of CPS Security: Healthcare Exposures 2025 report.

Claroty examined over 2.25 million internet of medical things (IoMT) devices and more than 647,000 operational technology (OT) devices across 351 healthcare organizations, uncovering widespread security gaps that put patient care at risk.

Claroty identified how many devices had Known Exploited Vulnerabilities (KEVs) – or vulnerabilities that have been identified and actively exploited in real-world attacks. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a database of these vulnerabilities because they pose immediate risk – attackers already know how to use them and have the tools to do so. When a medical device has a KEV, it means hackers have a pre-made playbook for breaking into it.

While 99% of organizations in the dataset have systems with KEVs, the most at-risk devices are those where vulnerabilities intersect with other factors like ransomware exposure and insecure connectivity.

Critical systems, critical vulnerabilities

The findings reveal a healthcare sector grappling with endemic cybersecurity weaknesses that extend beyond traditional IT infrastructure to the very medical devices responsible for patient care.

• 45% of hospital information systems contain known exploited vulnerabilities (KEVs)
• 8% of imaging systems have KEVs linked to ransomware and are insecurely connected to the internet, impacting 85% of HDOs
• 86% of organizations have patient devices, such as remote patient monitors and ECG monitors, with KEVs, and 70% have devices with KEVs linked to ransomware and insecure internet connections
• 78% of organizations have operational technology (OT), including building automation systems, with KEVs, and 65% are managing OT devices with confirmed KEVs that are also insecurely connected to the internet

Russian cybercrime gangs target hospitals

Two Russia-affiliated groups—Black Basta and BlackCat/ALPHV—were behind some of the largest healthcare breaches in 2024, including attacks on Ascension and Change Healthcare.

“Their strategy is clear: given the cybersecurity weaknesses in core infrastructure at hospitals and organizations’ need to maintain adequate levels of patient care, HDOs are considered among the critical infrastructure targets most likely to meet most ransom demands,” the report notes.

Claroty found that 78% of organizations paid ransom amounting to at least $500,000 in their Global State of CPS Security 2024: Business Impact of Disruptions report. More than 25% of organizations surveyed said they lost more than $1 million from cyber incidents, and nearly 40% of organizations paid a ransom between $1 and $5 million. 

The Ascension attack, which affected 140 hospitals across 19 states, resulted in $1.8 billion in losses. Meanwhile, Change Healthcare reportedly paid a $22 million ransom but never recovered its stolen data, absorbing nearly $2.5 billion in recovery and reimbursement costs.

Recommendations

The report concludes with a five-step action plan to help healthcare organizations manage exposures:

1. Scoping: Account for critical processes by device type and department
2. Discovery: Identify devices, their attributes, and communication patterns
3. Validation: Confirm that exposures are real and externally reachable
4. Prioritization: Follow a cybersecurity framework that considers business impact
5. Mobilization: Implement actionable mitigations to reduce risk

The report also emphasized the need for shared cybersecurity responsibility. Only through coordinated, organization-wide efforts can healthcare providers effectively manage their cyber risk.