A new report from Asimily, a leading platform for IoT, OT, and IoMT risk mitigation, has cast a stark light on the cybersecurity landscape within North American hospitals. Titled “The State of Hospitals’ Cyber Asset Exposure Management in 2025,” the survey reveals critical disconnects between hospital security priorities and the grim reality of medical device risk management, potentially exposing patients to unprecedented dangers. Persistent visibility gaps and internal process breakdowns are identified as core culprits, leaving healthcare institutions vulnerable to operational disruption and direct threats to patient care.
The Alarming Gaps in IoMT Security Management
The comprehensive survey, which polled Chief Information Security Officers (CISOs) across North American hospitals, underscores an urgent demand for fundamental improvements. A staggering 43% of CISOs identified complete device visibility as the single most pressing challenge they wished to resolve immediately. This crucial need overshadowed concerns like ransomware threat detection (24%) and compliance automation (22%), highlighting a foundational struggle to even identify what devices are connected to their networks.
When asked about the biggest barriers to effective IoMT device risk management, the findings were equally concerning. One-third of respondents pointed to internal process issues, closely followed by a pervasive lack of visibility (30%) and data overload (20%). This suggests a systemic problem where institutions struggle not only to see their assets but also to manage the information and processes surrounding them effectively.
Fragmented Vulnerability Prioritization Adds to Risk
The report further exposes a dangerous fragmentation in how hospital security teams approach vulnerability remediation. Shockingly, only 22% of CISOs base their prioritization on device usage and criticality—the most effective method for focusing limited resources on the highest-risk assets. Instead, a significant 18% still rely on manual review, while an alarming 15% admit to having no clear process whatsoever for addressing IoMT vulnerabilities. Such an uncoordinated approach leaves critical medical devices, essential for patient treatment, exposed to known threats.
Shankar Somasundaram, CEO of Asimily, emphasized the complexity of the challenge. “Hospital CISOs are challenged with protecting many thousands of network-connected devices while navigating organizational silos, data overload, budget constraints, and ensuring patient care isn’t disrupted,” Somasundaram stated. He further reinforced that “visibility is the critical first step, but it has to be paired with the ability to prioritize and act on what you find. Hospital cybersecurity leadership needs strategies that can connect the dots between device discovery, risk prioritization, and remediation (including segmentation), while also working across the clinical engineering, IT, and security teams that share responsibility for these patient-critical systems.”
Asimily’s Roadmap for Stronger Cyber Asset Management
Based on these compelling findings, Asimily has issued a series of actionable recommendations to help healthcare delivery organizations fortify their cyber asset exposure management programs:
- Unify Visibility Across All Asset Types: Implement platforms that offer a single, comprehensive view of IT, IoT, IoMT, and OT devices, thereby eliminating blind spots and facilitating holistic risk assessment.
- Prioritize Vulnerabilities by Device Criticality and Usage: Move beyond basic CVSS scores. Integrate factors such as a device’s essential role in patient care and whether existing network segmentation already mitigates certain risks to optimize resource allocation.
- Establish Clear Ownership and Communication Channels: Foster seamless collaboration between clinical engineering, health technology management, and procurement teams. Define clear responsibilities and ensure security teams are always informed when devices are added or modified.
- Reduce Data Overload with Context-Aware Filtering: Refocus security dashboards to present actionable signals rather than overwhelming teams with raw alerts, allowing resource-constrained teams to concentrate on the most impactful issues.
- Leverage GRC Capabilities to Track Configuration Drift: Define robust policies for device configurations and continuously monitor for unauthorized changes, whether initiated by third-party technicians or internal groups.
For a deeper dive into these insights and additional strategies for how hospital CISOs and other security/IT leaders can manage exposure across all cyber assets, the full report is available for download on the Asimily website.