Medical devices have become one of healthcare's most significant cybersecurity vulnerabilities. As hospitals connect more equipment to their networks, from infusion pumps to imaging systems, they're creating an expanded attack surface that cybercriminals actively exploit. This report breaks down the critical statistics healthcare security professionals need to understand the scope of medical device vulnerabilities and their impact.
Key Takeaways
- 99% of hospitals manage at least one IoMT device with a known exploited vulnerability
- The average healthcare breach cost reached $10.22 million in the U.S., up 9.2% from 2024
- Medical devices average 6.2 vulnerabilities per device, far exceeding typical enterprise hardware
- 60% of medical devices are end-of-life with no available security patches
- 77% of healthcare organizations were targeted by ransomware in 2024
Understanding IoMT Vulnerability Statistics
The Internet of Medical Things (IoMT) encompasses all connected medical devices and health IT systems, from wearable monitors and infusion pumps to MRI scanners and hospital workstations. Each device represents a potential entry point for attackers.
Medical Device Vulnerabilities by Type
Device Category | Devices with KEVs | Organizations Affected | *KEVs Linked to Ransomware |
|---|---|---|---|
Imaging Systems (MRI, CT, X-ray) | 28% | 99% | 8% |
Hospital Information Systems | 20% | 60% | 20% |
Infusion Pumps | 75% | N/A | 50%+ |
Patient Monitors & Controllers | 86% | 70%+ | 20% |
DICOM/PACS Workstations | 32% | N/A | 32% |
*KEV = Known Exploited Vulnerability
Key Insights:
- A research study analyzing more than 2.25 million IoMT devices across 351 healthcare organizations found that imaging systems pose the highest risk.
- These critical diagnostic tools inform treatment plans, and compromised systems can devastate triage efforts and force patient re-routing.
Root Causes of Medical Device Vulnerabilities
Vulnerability Factor | Percentage | Impact |
|---|---|---|
End-of-life devices without patches | 60% | No security updates available |
Devices with weak/default credentials | 21% | Easy unauthorized access |
Devices running an unsupported OS | 14 to 20% | Legacy Windows XP/Vista systems |
Devices lacking endpoint protection | 87% | Cannot run antivirus or security agents |
Average vulnerabilities per device | 6.2 | Far above enterprise hardware averages |
Devices with internet exposure | 93% | Insecure connections to the web |
Key Insights:
- The FBI reported that 53% of networked medical devices have at least one known critical vulnerability.
- Unlike enterprise IT, many medical devices were designed for functionality rather than security, often running on legacy systems that manufacturers no longer support with updates.
Healthcare Breach Impact and Costs
The consequences of medical device vulnerabilities extend beyond IT disruptions, directly impacting patient safety and organizational finances.
Financial Impact of Healthcare Breaches
Metric | 2024–2025 Data | Year-over-Year Change / Context |
|---|---|---|
Average U.S. Healthcare Breach Cost | $10.22 million | +9.2% |
Global Average Healthcare Breach Cost | $9.8 million | Highest of all industries (15th consecutive year) |
Downtime Cost per Minute | $7,500–$9,000 | N/A |
Average Downtime per Attack | 17+ days | N/A |
Average Recovery Time | 100+ days | 75% of organizations report this duration |
Detection and Escalation Costs | $1.47 million | Per incident |
Key Insights:
- Healthcare marked its fifteenth consecutive year as the most expensive industry for data breaches.
- A single incident can devastate hospitals operating on razor-thin 1-5% profit margins.
Breach Frequency and Patient Impact
Breach Statistic | 2024–2025 Data |
|---|---|
Healthcare Organizations Hit by Ransomware | 67 to 77% |
Organizations That Paid Ransom | 53% |
Patient Records Exposed in 2024 | 305+ million |
Largest Single Breach (Change Healthcare) | 190 million records |
Ransom Paid (Change Healthcare) | $22 million |
Detection and Reporting Time | 205 days average |
Publicly Accessible Medical Devices Online | 1.2 million globally |
Emergency Department Closures per Breach | 19 days average |
Increase in Mortality Rates at Breached Hospitals | 29% |
Key Insights:
- Research confirmed that hospitals affected by cyberattacks saw a 29% increase in inpatient mortality, while neighboring hospitals experienced an 81% surge in cardiac arrests due to emergency diversions.
Attack Vectors and Threat Landscape
From inbox to imaging network, attackers are exploiting systemic weaknesses across the healthcare ecosystem.
Email Remains Dominant Attack Vector
In 2025, Trellix recorded 54.7 million detections across healthcare customer organizations, with 85% originating through email. The United States represented 75% of all healthcare-related detections, underscoring how heavily the U.S. healthcare infrastructure is targeted.
IoMT Device Risk Factors
Risk Category | Finding |
|---|---|
Known Exploited Vulnerabilities (KEVs) | 99% of hospitals have at least one device with KEVs |
KEVs Linked to Ransomware + Internet Exposure | 89% of organizations affected (top 1% riskiest devices) |
Supply Chain Vulnerabilities | 76% of medical devices affected |
DICOM Imaging Exposure Growth | 246% increase since 2017 |
Devices with Exploitable Vulnerabilities | 993 vulnerabilities identified in 2024 |
New Vulnerabilities Discovered Annually | 162+ in connected medical devices |
Operational Technology (OT) Vulnerabilities
Medical devices aren't the only concern. Building automation systems (HVAC, elevators, refrigerators, backup power) create additional entry points. Analysis of 647,000 OT devices found that 78% of organizations have OT with KEVs, and 65% have devices with confirmed KEVs that are insecurely connected to the internet. Attackers commonly exploit unpatched HVAC or electrical controllers to gain an initial foothold, then move laterally into medical imaging networks, effectively crippling radiology departments and forcing ambulance diversions.
How ORDR Secures Medical Devices Without Disrupting Care
Traditional security approaches weren’t built for medical devices. They rely on agents, scanning, or downtime, none of which are viable in clinical environments. ORDR is designed specifically for healthcare, delivering visibility and safe enforcement without disrupting patient care.
Capability | Description |
|---|---|
Complete Visibility | Uses passive network traffic analysis and behavioral AI trained on real-world device data to identify and profile connected medical, IT, IoT, OT, and IoMT devices, without agents or disruptive scanning. Provides real-time inventory, including device type, manufacturer, OS, clinical function, and software attributes. |
Continuous Risk Management | Correlates CVEs, manufacturer advisories, clinical context, and network exposure, without requiring active scanning. Enables prioritized, risk-based remediation aligned to patient safety and operational impact. |
Behavioral Threat Detection | Monitors device behavior continuously to identify anomalies, unauthorized communication, and indicators of compromise. Provides early detection for devices that cannot support traditional endpoint protection. |
Safe Network Segmentation | Generates AI-driven segmentation policies based on real device behavior, validates them before enforcement, and integrates with existing infrastructure. Enables organizations to move toward segmentation in a controlled, phased manner, without disrupting critical systems. |
Why Healthcare Organizations Choose ORDR
ORDR enables hospitals to move from visibility to safe, continuous risk reduction, without interrupting patient care or clinical workflows.
Sources
- C2A Security: 60 Healthcare and Medical Device Cybersecurity Risk Statistics for 2025
- Claroty Team82: State of CPS Security Report: Healthcare Exposures 2025
- DeepStrike: IoMT Vulnerabilities Statistics & Security Trends 2025
- Forescout Research Labs: The Riskiest Devices of 2025
- HIPAA Journal: 99% Of Healthcare Orgs Managing IoMT Devices with Known Exploited Vulnerabilities
- Industrial Cyber: Healthcare breaches reach new cost highs as adversaries exploit expanding clinical attack surfaces