- Rising exposure: The rapid growth of IoMT networked medical devices such as monitors, pumps, and imaging systems has vastly expanded the attack surface of hospitals.
- Critical vulnerability stats:
- Each device averages 6.2 software bugs.
- 60% of devices are end-of-life and lack security patches.
- 99% of hospitals have at least one IoMT device with a known exploited vulnerability.
- Financial & operational impact:
- Average healthcare breach cost: $10 M IBM 2025.
- 77% of providers suffered ransomware attacks in 2024.
- Why it matters: IoMT weaknesses directly threaten patient safety, data integrity, and regulatory compliance HIPAA, FDA, NIST CSF.
- Best-practice defenses:
- Maintain SBOMs Software Bill of Materials.
- Enforce network segmentation and access control.
- Conduct specialized IoMT penetration testing to identify exploitable flaws.
- Key takeaway: Securing IoMT ecosystems requires continuous visibility, patch governance, and targeted pentesting to prevent costly, life-impacting breaches.
What Is IoMT and Why It Matters
The Internet of Medical Things IoMT refers to all the connected medical devices and applications in healthcare from wearable heart monitors and infusion pumps to MRI scanners and hospital IT systems.
This network grows explosively: with 166,548 hospitals projected globally by 2029 each with 10- 15 connected devices per bed, 1.67M devices in total, IoMT devices already outnumber hospital staff in many facilities. The appeal is clear: real time patient monitoring and smarter treatment.
But complexity breeds risk. Unlike consumer IoT, these devices must not only handle data securely but also deliver life critical care. This means that even minor vulnerabilities like default passwords on an IV pump can have fatal consequences.
Why it matters now: Healthcare environments are under attack more than ever. Government and industry reports show nearly every hospital network has at least one critical, unpatched IoMT flaw.
The stakes are high: ransomware and data breaches in healthcare have skyrocketed, delaying patient care on average 19 days per incident and leaking millions of records. As of 2025, IoMT security is a boardroom issue regulators and insurers demand proof of robust defenses including penetration tests and SBOMs before approving new devices or policies.
This guide dives into the latest IoMT vulnerability statistics 2024- 2025, real world impact, and steps to protect your devices and data.
IoMT Vulnerability Landscape: Key Statistics 2024- 2025
- Ubiquity of flaws:
- In one global survey, 99% of hospitals and healthcare organizations had IoMT devices with at least one known exploited vulnerability KEV.
- In fact, Claroty data shows 93% of providers had confirmed KEVs on devices and insecure Internet connections.
- The FBI reports that 53% of networked medical devices carry at least one known critical CVE. In other words, every healthcare network we’ve seen has multiple ways in.
- Device exposure:
- A Health ISAC survey in 2025 identified 1.2 million publicly accessible medical devices online MRI/CT scanners, X ray and DICOM viewers, lab systems, etc..
- This explosive exposure nearly 3× growth since 2021 means adversaries can reach hospital devices directly over the internet.
- High flaw counts:
- Research by CloudWave/Sensato found an average of 6.2 vulnerabilities per medical device far above typical enterprise hardware.
- Many of these are critical bugs, and they persist: even if patched, devices often remain vulnerable for years.
- One study found patched devices stayed exposed for 3.2 years on average.
- Outdated systems:
- IoMT gear tends to be old. Approximately 60% of devices are end of life with no security patches available, and surveys find 14% still run unsupported OS like Windows XP/Vista.
- These legacy systems are the low hanging fruit that attackers love.
- Prevalence of weak credentials:
- About 21% of medical devices use default or easily guessed passwords.
- With nearly 9 out of 10 devices shipping with default creds, attackers can often log in immediately if not changed.
- Poor protections: Shockingly, only about 13% of IoMT devices support endpoint security like antivirus agents. Most run bare metal, making them easy targets for malware.
- Increasing exploits:
- New IoMT specific exploits keep emerging. Forescout’s 2023 report found 162 new vulnerabilities in connected medical devices, imaging systems, pumps, etc..
- Forescout also noted DICOM imaging exposures are up 246% since 2017 meaning more radiology machines are reachable and attackable online now.
Most Vulnerable Device Types
Some IoMT categories stand out:
- Infusion pumps:
- A large-scale analysis found 75% of 200,000 infusion pumps had one or more known security gaps.
- Over half were susceptible to two critical 2019 CVEs in pump firmware.
- These pumps run legacy firmware and often use hard coded passwords, making them ideal targets.
- Imaging equipment:
- Radiology devices, CT/MRI scanners, X-ray machines are also riddled with bugs.
- Forescout found 32% of DICOM/PACS workstations had at least one critical unpatched vulnerability.
- Claroty Team82 specifically reports 20% of imaging systems carried KEVs used by major ransomware gangs.
- Many imaging systems run outdated Windows versions and unencrypted DICOM protocols by default.
- Patient monitors & IV controllers:
- Networked vital sign monitors and IV drip controllers often run old OS too.
- For example, the same Forescout study noted 20% of pump controller devices had critical, wormable vulnerabilities.
- Hospital pharmacy and lab systems similarly often lack patches.
- Wearables/implants:
- Though harder to survey, certain implantables like pacemakers or insulin pumps have known Bluetooth and radio flaws.
- The FDA has issued advisories and recalls for these devices.
- However, most published IoMT stats focus on hospital equipment above.
Impact on Healthcare: Breaches and Costs
The consequences of these vulnerabilities are real and growing:
- Major data breaches: Healthcare breaches have exploded.
- In 2023, HHS data shows 531 organizations reported hacking breaches, exposing 70 million patient records 3× more than the previous year.
- Top breaches, like the BlackCat attack on Change Healthcare, hit over 190 million individuals with a $22M ransom.
- Over 305 million patient records were publicly exposed in 2024 alone.
- High breach costs:
- The average cost of a data breach in healthcare hit roughly $9- 10 million in 2023- 2024.
- Hospitals have razor thin margins 1- 5% typical operating profit, so a single breach can be catastrophic.
- Ransomware surge: Ransomware has become endemic.
- Surveys report 67- 77% of providers were hit by ransomware in 2024 with about half paying out.
- Hospitals now account for 17% of all ransomware attacks globally, the largest share of any industry.
- Ransom incidents not only steal data but can shut down patient care
- One study found each breach causes 19 days of emergency department closures or treatment delays.
- Long recovery time:
- Beyond the raw data cost, downtime and recovery are brutal.
- Ponemon estimates healthcare takes 205 days on average to identify and contain a breach, much slower than other sectors.
- This delay compounds patient risk.
- Regulatory penalties: Fines and lawsuits are rising.
- In 2023- 24 the OCR levied millions in penalties for HIPAA noncompliance e.g. a $4.8M penalty in H1 2024.
- New HIPAA rules in 2025 mandate strong controls like MFA on all ePHI, so hospitals lacking IoMT security now face legal and financial risk on top of cyber risk.
In short, the data is clear, hospitals are under attack, breaches are up, and IoMT gaps are a primary driver. Both patient safety and financial viability depend on fixing these holes.
Why IoMT Devices Are So Vulnerable
The root causes are often mundane, not exotic hacks:
- Default credentials and misconfiguration: Many devices ship with hard coded or simple passwords. Industry surveys find one of the single most common IoMT flaws is insecure or default passwords. In practice, it’s often trivial for attackers to log in.
- Outdated software: As noted, 40- 60% of devices are end of support. Even when patches exist, hospitals are slow to update due to device uptime needs or lack of maintenance. Unpatched firmware and legacy protocols, unencrypted DICOM, legacy SSL, etc. remain the biggest risks in several studies.
- Lack of segmentation and visibility: Many hospitals treat IoMT as an afterthought. Devices are often on flat networks with general IT traffic, so a breach of one device can easily spread. Without proper network segmentation or monitoring, attackers can move laterally from an IV pump to a hospital database.
- Supply chain issues: Over 76% of medical devices are impacted by third party or supply chain vulnerabilities. IoMT systems incorporate components and software from many vendors and open source libraries, and vulnerabilities in any part can undermine the whole device.
- Clinical constraints: Unlike consumer tech, you cannot simply password protect a ventilator in an ICU. Clinicians need quick access to care equipment. This human factor means security is sometimes consciously reduced to ensure reliability, creating unique vulnerabilities.
Despite headlines about high profile zero days, everyday hygiene issues dominate. A CISA advisory points out that patching alone isn’t enough: even patched devices can be compromised if they still use default creds or insecure ports. In practice, IoMT defenders must treat almost every device as inherently at risk and assume exploitable gaps exist unless proven otherwise.
Real World Cases
- Harvard Pilgrim DICOM breach 2023: A hospital network had a DICOM image workstation with no basic protections. Attackers accessed it and exfiltrated 2.6 million patient records through that one machine.
- Insulin pump hacks: The FDA has issued multiple recalls and advisories e.g. for insecure Bluetooth comms in pumps and glucometers. In one case, researchers remotely controlled an insulin pump’s dosing.
- Pacemaker vulnerabilities: Researchers repeatedly find issues in pacemaker firmware. The FDA even warned clinics to turn off remote telemetry on implanted devices after U.S. Gov’t security testers exploited a Bluetooth radio flaw.
- Ransomware on CT scanners: Ransomware gangs have specifically targeted imaging gear e.g., Hurricane Electric’s ONI group. Forescout and Claroty data show many imaging systems had KEVs, leading to high ransomware risk.
These examples show even air gapped or special purpose equipment often have network interfaces or wireless links. In every case, our analysis shows a simple vulnerability open port, default login, old OS was the entry point, not an implausible breakthrough.
How to Secure IoMT: Strategies & Best Practices
1. Inventory and SBOMs
First, know what you have. Many providers lack a complete inventory of connected devices. Create a master list including vendor and model for all monitors, pumps, scanners, etc.
SBOM: For each device, obtain a Software Bill of Materials. The FDA now requires SBOMs in premarket submissions for medical devices, and they’re equally useful post market. An SBOM lists all third party components OS, libraries, drivers so you can track known vulnerabilities.
2. Risk Assessment & Compliance
Categorize devices by risk life critical vs non critical. Use standards like NIST SP 800 171 and IEC 81001 5 1 for medical device security. Ensure compliance with healthcare regulations HIPAA, FDA, etc..
For example, update to meet the new HIPAA Security Rule 2025 which mandates MFA and quicker audit compliance. Refer to a HIPAA penetration testing checklist to align your security tests with HIPAA requirements and ensure you can handle audits and OCR inquiries.
3. Network Segmentation & Monitoring
Segregate medical devices onto their own VLANs or networks. Use firewalls to isolate sensitive zones. Employ passive network monitoring e.g. using Wireshark/Tcpdump/Nmap on IoMT subnets to detect anomalies.
This can catch unexpected device behavior for instance, a pacemaker beaconing out. With IoMT, consider specialized monitoring platforms like those from Claroty or Cynerio that understand healthcare protocols.
4. Patching and Maintenance
Patch all devices promptly, following vendor guidelines. For legacy or unsupported devices, use compensating controls: isolate them, use network filters, or install host based firewalls if possible. Disable unused services e.g. unused USB ports or remote access features. Implement a strict change management process to track any software updates on devices.
5. Penetration Testing and Red Teaming
Regular security testing is essential. A targeted IoMT penetration test goes beyond vulnerability scanning by simulating real attacks on medical devices and networks. This can uncover chain exploits e.g. combine a default password pump with a hospital Wi Fi flaw to reach an EHR database.
Quick Comparison: Vulnerability Assessment vs Penetration Testing
| Aspect | Vulnerability Assessment | Penetration Testing IoMT |
|---|
| Scope | Automated scan of known bugs port scan, CVE check | Simulated attack by experts may include manual exploits |
| Depth | Identifies obvious issues; repeatable scans | Finds complex flaws and chained exploits; tailored scenarios |
| Insight | Great for baseline compliance checks e.g. all CVEs | Shows business impact e.g. how a pump hack could lead to data theft |
| When to Use | Ongoing health checks, inventory scans | Annual or ad hoc assessments, especially after big changes |
For IoMT specifically, you might choose a combination: automated IoT scans for known CVEs, plus periodic manual pentests.
Black Box vs White Box IoMT Testing: In black box tests, testers attempt to break in with no internal info mimicking an outside hacker. In white box tests, they get full system details, code access, network maps to dig deeper.
A hospital might start with a black box IoMT pen test to see what an outsider could do, then use white box tests to harden critical devices. See the comparison table below for key differences.
| IoMT Penetration Test Approach | Black Box | White Box |
|---|
| Tester Knowledge | No prior info; learns only from probing like an external attacker | Full documentation & code provided; tests all internal logic |
| Speed & Coverage | Typically slower; may miss hidden issues without source code | Faster, thorough; can target obscure vulnerabilities directly |
| Realism | Highly realistic mimics real threat actors | Less realistic assumes attacker has insider knowledge |
| Best for | Testing network perimeter and device interfaces | Verifying design robustness and patch management efficiency |
These specialized IoMT tests should be conducted by experts familiar with medical protocols and equipment. DeepStrike offers both on site red team assessments and Penetration Testing as a Service PTaaS to provide ongoing, device focused security testing.
6. Incident Response and Resilience
Have an IoMT specific response plan. If a pump or monitor is compromised, how do you isolate it and continue patient care safely? Regular drills and backups both cyber and physical are key. Insurance now often requires documented pentesting and response plans for cyber coverage, so maintain evidence of your testing and remediation steps see penetration testing for cyber insurance eligibility.
Penetration Testing & ROI
While security improvements cost money, the return on investment ROI is clear in IoMT contexts. For example, preventing one ransomware shutdown which could cost hospitals tens of millions in direct and indirect losses easily justifies routine pentesting.
A conservative breakdown: a thorough IoMT penetration test especially if done as PTaaS or by a continuous platform might cost on the order of tens of thousands, but the average breach costs in healthcare are $10M. In fact, risk analysts often cite that every $1 spent on thorough security can save $6- 10 in breach mitigation costs.
When budgeting, also consider compliance and competitive pressure. Hospitals that stay compliant with FDA/HIPAA and demonstrate mature IoMT security can negotiate better cyber insurance rates and avoid fines. Think of penetration testing not just as an expense, but as part of a risk management investment that preserves patient trust and financial stability.
Common Mistakes & Myths
- Myth: Medical devices can’t be hacked. Reality: They absolutely can. Countless incidents have shown even air gapped devices are vulnerable once connected via USB updates, maintenance ports, or network.
- Mistake: Relying on vendor security alone. Manufacturers often provide updates, but hospitals frequently skip them or lack visibility. It’s on healthcare IT to verify each device’s patch status and secure the surrounding network.
- Myth: IoMT devices shouldn’t slow down with security tools. Modern device OS often allow lightweight agents. At least segment and monitor aggressively even if full agents aren’t possible.
- Mistake: Ignoring passive monitoring. Tools like Nmap/Tcpdump may seem outdated, but continuous network sweeps and anomaly detection are powerful for IoMT. Without them, you’ll miss lateral moves or unusual traffic.
Quick Tip: Make sure to change all default passwords on devices out of the box. In assessments, insecure passwords are often the top IoMT finding.
IoMT devices bring amazing benefits to patient care, but the security data is sobering: vulnerabilities are ubiquitous and escalating in 2025. Every hospital network risks data theft, patient harm, and costly downtime if these gaps aren’t closed.
The good news is that many countermeasures exist today: from proper network design and patch management to targeted penetration testing services specifically for medical environments.
Ready to Strengthen Your Defenses? The threats of 2025 demand more than just awareness; they require readiness. If you're looking to validate your security posture, identify hidden risks, or build a resilient defense strategy, DeepStrike is here to help.
Our team of practitioners provides clear, actionable guidance to protect your business. Explore our penetration testing services to see how we can uncover vulnerabilities before attackers do. Drop us a line, we’re always ready to dive in.
About the Author:Mohammed Khalil is a Cybersecurity Architect at DeepStrike, specializing in advanced penetration testing and offensive security operations. With certifications including CISSP, OSCP, and OSWE, he has led numerous red team engagements for Fortune 500 companies, focusing on cloud security, application vulnerabilities, and adversary emulation. His work involves dissecting complex attack chains and developing resilient defense strategies for clients in the finance, healthcare, and technology sectors.
FAQ
- What is IoMT?
- IoMT Internet of Medical Things is the network of connected medical devices and health IT systems from wearable monitors and smart insulin pumps to hospital imaging machines and EHR workstations.
- These devices collect, share, and sometimes act on patient data. The connectivity improves care but introduces cybersecurity risks.
- Why are IoMT devices so vulnerable?
- Many IoMT devices were built for functionality, not security. They often run outdated software, use default credentials, and lack encryption.
- Clinical usability constraints e.g. bypassing logins on a ventilator also reduce security measures. As a result, nearly every hospital IoMT network has exploitable flaws.
- What do IoMT penetration tests involve?
- IoMT pentesting involves simulated attacks on medical devices and networks to uncover vulnerabilities. It can be black box no prior knowledge or white box full info.
- Specialists will try to exploit devices e.g. remote pump takeover and pivot to broader systems.
- This is different from a simple scan; it shows the actual impact and helps comply with standards like OWASP’s medical device guidelines.
- How often should hospitals test IoMT security?
- Best practice is at least annually or whenever major changes occur new devices, network architecture, etc.. Critical devices may warrant more frequent checks.
- Many organizations are moving to continuous penetration testing platform PTaaS to get ongoing coverage rather than one off tests.
- What regulatory requirements apply?
- Several key ones: FDA’s Section 524B now requires premarket cybersecurity plans and SBOMs.
- The HIPAA Security Rule 2025 mandates MFA and quick breach reporting.
- ISO/IEC 81001 5 1 and NIST 800 171/CSF provide control frameworks.
- Internationally, EU medical device regulations also emphasize cybersecurity.
- Compliance often means detailed documentation of device security testing for example, see our HIPAA penetration testing checklist for HIPAA focused requirements.
- What is a Software Bill of Materials SBOM for medical devices?
- An SBOM is a list of all software components OS, libraries, open source code in a device. It helps identify vulnerabilities when new bugs are found.
- As of 2023, U.S. law requires SBOMs for medical device approvals, and they are a best practice for post market risk management.
- How much does IoMT penetration testing cost?
- Costs vary by scope. A focused test on a handful of devices might be a few thousand dollars, while enterprise level engagements thousands of devices, full red team go up.
- Many firms offer subscription PTaaS models. Given the high breach costs $10M on average, even a modest testing budget can be highly cost effective.
- How does IoMT security help with insurance?
- Cyber insurers increasingly require proof of robust security. Having regular penetration tests documented and compliance with standards can lower premiums or even be a condition for coverage.
- Our blog on penetration testing for cyber insurance eligibility explains how proactive testing influences insurance.
