The Growing Cybersecurity Crisis in Healthcare: 2025 Report Analysis

The Claroty “State of CPS Security: Healthcare Exposures 2025” report reveals alarming vulnerabilities in healthcare systems across the United States. With ransomware attacks becoming increasingly sophisticated and targeted, healthcare delivery organizations (HDOs) face unprecedented cybersecurity challenges that directly impact patient safety and care.

  Key Findings from the Report

Based on analysis of over 2.25 million Internet of Medical Things (IoMT) devices and 647,000+ operational technology (OT) devices across 351 healthcare organizations, the report found that 89% of organizations are running medical systems vulnerable to publicly available exploits, including those actively used by ransomware gangs, while also being insecurely connected to the internet.

Other critical findings include:

• 99% of organizations in the dataset have confirmed known exploited vulnerabilities (KEVs)
• 8% of imaging systems (X-rays, CT scans, MRI, etc.) carry KEVs linked to ransomware and are insecurely connected online, impacting 85% of HDOs in the dataset
• 20% of hospital information systems that manage clinical patient data, administrative, and financial information contain KEVs linked to ransomware and are insecurely connected to the internet

  Threat Actors Targeting Healthcare

Russian cybercrime gangs are deliberately targeting hospitals due to their cybersecurity weaknesses and the critical need to maintain patient care, making HDOs among the critical infrastructure targets most likely to pay ransom demands.

Two particularly dangerous groups have been responsible for major healthcare breaches:

1. Black Basta: A Russian ransomware-as-a-service (RaaS) operation whose affiliates have targeted more than 500 organizations globally according to a Joint Advisory published in November 2024. They use exploits and phishing to gain initial footholds, followed by double-extortion techniques. Black Basta was attributed to the Ascension attack in May 2024, which affected critical systems, forced patient diversions, and resulted in $1.8 billion in losses.
2. BlackCat/ALPHV: A Russia-affiliated cybercrime outfit responsible for the Change Healthcare attack in February 2024. They favored triple-extortion attacks, adding DDoS threats to encryption and exfiltration methods. Following the Change Healthcare ransom payout, BlackCat may have ceased operations. The FBI believes they compromised over 1,000 organizations and received ransom payouts exceeding $300 million.

  Most Vulnerable Systems

The report highlights three main areas of concern: hospital information systems (HIS), IoMT categories like imaging systems, and patient devices, along with operational technology (OT) inside hospitals such as building management systems.

1. Hospital Information Systems: These are the lifeblood of hospitals, managing medical, administrative, and business functions. They contain central patient health information, including physician notes, lab results, and imaging results. Of the 12,500 HIS analyzed, nearly 45% contain KEVs. About 20% have confirmed KEVs linked to known ransomware and insecure connectivity.
2. Imaging Systems: These essential diagnostic tools (X-rays, MRIs, CT scanners, etc.) enable diagnosis of hundreds of conditions. Of the 195,000+ imaging devices analyzed, 28% contain KEVs, with 8% having KEVs linked to ransomware and insecure connectivity.
3. Patient Devices: These include remote patient monitors, ECG monitors, and pulse oximeters. While they represented the largest subset of data (1.5 million devices), only 8% contain KEVs, with 0.5% having KEVs linked to ransomware and insecure connectivity.
4. Connected Surgical Devices: Though relatively small in number, these represent a high-consequence exposure if compromised. Of nearly 30,000 analyzed, about 3% contain confirmed KEVs, with 0.6% having KEVs linked to ransomware and insecure connectivity.
5. Operational Technology: This includes building automation devices, temperature sensors, and power distribution units. Of the 647,000+ OT devices analyzed, only 2% contain confirmed KEVs, with 0.3% having KEVs linked to ransomware and insecure connectivity.

  Recommended Remediation Steps

The report recommends a five-step action plan beyond traditional vulnerability management:

1. Scoping: Account for critical processes by device type and department
2. Discovery: Identify devices, granular attributes, and communication
3. Validation: Validate that a full spectrum of exposures are real and externally reachable
4. Prioritization: Follow a cybersecurity framework that considers business impact and exploitability of exposures
5. Mobilization: Reduce risk and secure operations with actionable mitigations and remediations

Additionally, tactical responsibilities for securing medical devices should be shared across device owners (clinical/biomedical engineering teams), IT, and information security teams. Key areas include:

• Patch and firmware update management
• Closing open ports and ensuring secure protocols
• Implementing proper configuration management
• Managing certificate updates on medical devices
• Disabling unnecessary services on medical devices
• Utilizing endpoint protection where supported

 How CinchOps Can Help Secure Your Business

In light of these findings, CinchOps offers comprehensive cybersecurity solutions specifically designed for healthcare organizations. Our team of experts specializes in:

• Comprehensive vulnerability and exposure assessments for all connected medical devices
• Secure network architecture design to prevent unauthorized access
• 24/7 monitoring and incident response capabilities
• Implementation of zero-trust architectures for critical systems
• Regular security audits and compliance checks
• Staff security awareness training

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

The Claroty report makes it clear that traditional vulnerability management alone is insufficient for today’s complex healthcare environments. CinchOps takes a holistic approach to security, considering not just vulnerabilities but also insecure connectivity and ransomware threats to prioritize the most critical assets.

Don’t wait until your organization becomes the next victim of a devastating cyberattack. Contact CinchOps today to schedule a comprehensive security assessment and protect your patients, staff, and reputation.

FREE CYBERSECURITY ASSESSMENT