Healthcare organizations are under constant cyber threat—and a new analysis shows that nearly all of them remain dangerously exposed. According to researchers at Claroty’s Team82, a staggering 99% of healthcare providers are vulnerable to known public exploits, leaving critical systems and devices wide open to ransomware attacks.
The healthcare sector is a prime target for cybercriminals. Its digital infrastructure is massive and often outdated, yet services must run uninterrupted. When systems go down, patient safety is at risk. This urgent need for uptime makes it incredibly difficult to patch vulnerabilities, especially in legacy medical devices. Many of these run on unsupported operating systems, and updates require lengthy FDA validation—sometimes over a year—before they can be rolled out.
Claroty’s latest report, based on its xDome platform data, analyzed over 2.25 million Internet of Medical Things (IoMT) devices and more than 647,000 operational technology (OT) devices across 351 healthcare organizations. The findings paint a grim picture: nearly all these entities have devices vulnerable to exploits listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Even more alarming, 20% of hospital information systems had KEV-related vulnerabilities insecurely connected to the internet, making them easy targets for threat actors deploying ransomware.
Pinpointing the Most Dangerous Devices Using Venn Analysis
Faced with such overwhelming vulnerability, how can hospitals even begin to prioritize fixes?
Claroty researchers suggest a focused triage strategy. They identify three core risk factors:
- Devices with a known KEV vulnerability
- KEVs associated with real-world ransomware attacks
- Devices with insecure connectivity (such as those exposed online or using weak remote access tools)
By overlapping these three indicators—essentially a Venn diagram—the report helps pinpoint devices at highest risk. For instance, within the 647,679 OT devices analyzed:
- 11,693 had at least one KEV vulnerability
- 3,004 were tied to ransomware-exploited KEVs
- 4,731 had insecure connectivity But only 1,763 OT devices met all three conditions—roughly 0.3% of the total.
That number, while still concerning, becomes more manageable at the organizational level. On average, each healthcare provider has around 1,845 OT devices, which means they may only need to urgently address 5 to 6 devices.
For IoMT devices, the numbers are slightly higher. Applying the same Venn-based triage, about 1% of IoMT devices—or 22,500 units—were found to be high-risk, which breaks down to around 65 critical devices per organization.
A Practical Framework to Address Healthcare Cyber Vulnerabilities
While the Venn model offers a smarter way to prioritize, it’s only part of Claroty’s recommended five-step risk management framework:
- Scoping – Identify the most critical clinical and operational processes.
- Discovery – Map all connected assets and devices.
- Prioritize – Use exploitability, business impact, and threat intelligence to rank device risk.
- Validate – Confirm which vulnerabilities are exploitable and reachable.
- Mobilize – Deploy mitigation plans and security remediations.
This strategy not only narrows the focus to the most dangerous exposures, but also turns daunting numbers into actionable steps.
“Our goal,” Claroty explains in its report, “is to shine a spotlight on the devices that pose the most immediate risk—those impacted by active ransomware exploits and exposed to the internet.” By doing so, healthcare IT teams can make more strategic decisions and bolster defenses where it matters most.
As ransomware attacks grow more sophisticated and persistent, outdated medical devices continue to be the Achilles’ heel of the healthcare industry. Without a proactive triaging system, these legacy systems will remain soft targets—putting lives, data, and trust on the line.
