What You Should Know:
A new report from Asimily reveals that despite the explosion of connected care, hospitals are flying blind.
– A survey of North American CISOs found that 43% list “complete device visibility” as their most urgent unsolved challenge, while one-third blame internal process breakdowns for their inability to secure medical devices. With the average hospital now managing 350,000 connected devices, the industry is struggling to move from reactive patching to proactive risk management.
Modern healthcare is a miracle of connectivity. From infusion pumps to MRI machines, the “Internet of Medical Things” (IoMT) has revolutionized patient care. But according to a new report released today by risk mitigation platform Asimily, this connectivity has outpaced the security infrastructure meant to protect it.
The report, “The State of Hospitals’ Cyber Asset Exposure Management in 2025,” paints a concerning picture of the healthcare security landscape. Despite 93% of healthcare organizations experiencing cyberattacks in the last year, hospital CISOs remain hamstrung by a fundamental problem: they cannot protect what they cannot see.
The Visibility Crisis
The sheer scale of the problem is daunting. The average hospital now houses between 10 and 15 connected medical devices per bed, totaling upwards of 350,000 IoMT devices for a single facility. Yet, the survey indicates that 43% of CISOs identify “complete device visibility” as the challenge they want to solve first—far outranking ransomware detection (24%) and compliance (22%).
“Visibility should be table stakes for security professionals,” the report notes, but the reality is that clinical engineering teams often deploy new devices without notifying IT. This creates “shadow IT” on a massive scale, where lethal medical equipment sits on the network completely unmonitored.
It’s Not Just Tech—It’s Process
Perhaps the most revealing finding is that the biggest barrier to security isn’t hackers, but bureaucracy. When asked about the biggest hurdle to effective risk management, 33% of respondents cited “internal process issues,” making it the top complaint.
The report highlights a dangerous lack of ownership. In many hospitals, responsibility for medical devices is fractured between Clinical Engineering, Health Technology Management (HTM), and IT Security.
- The Disconnect: Technicians may patch a device or change its configuration without informing security, leading to “configuration drift” that opens new vulnerabilities.
- The Result: Security teams often find out about a new device only after it has been compromised.
The “Prioritization” Trap
Even when security teams do see a vulnerability, they are often paralyzed by the volume of alerts. With hundreds of thousands of devices, patching everything is impossible.
The data shows that hospitals are failing to prioritize effectively. Only 22% of CISOs prioritize remediation based on device criticality and usage—the gold standard for hospital security.
- 18% still rely on manual review, a virtually impossible task given the scale.
- 15% admit to having “no clear process” for addressing IoMT vulnerabilities.
- 22% rely solely on vendor alerts, which often lag behind active threats.
“A critical CVSS score may actually have no impact in a particular network if vulnerable systems are segmented,” the report argues, suggesting that teams relying on generic scores are wasting resources on low-risk issues while high-risk devices remain exposed.
The Path Forward: From Panic to Strategy
Asimily’s findings suggest that the solution requires a cultural shift as much as a technical one. The report recommends that hospitals move away from “chasing patches” toward a holistic exposure management strategy.
This involves unifying visibility across IT, IoT, and OT devices to eliminate blind spots. But crucially, it requires establishing clear ownership channels between clinical engineering and security teams to ensure that when a device enters the building, it enters the security perimeter.
With cyberattacks costing healthcare organizations an average of $3.9 million per incident, the cost of remaining blind is no longer sustainable. As 2026 approaches, the hospitals that succeed will be those that finally bridge the gap between “medical equipment” and “cyber asset.”
