Hospital chief information security officers (CISOs) continue to face persistent challenges securing connected medical devices, according to a new survey by cybersecurity company Asimily. Visibility gaps and internal process breakdowns top the list, raising concerns about operational disruption and patient safety.

Asimily’s State of Cybersecurity Management in 2025 report surveyed dozens of CISOs across North America on IoMT security risks—from infusion pumps to vital signs monitors. By 2026, the average smart hospital could manage nearly 4,000 connected devices.

When asked about near-term priorities, CISOs pointed first to complete device visibility (43%), followed by ransomware detection (24%) and compliance automation (22%). Despite those priorities, execution lags, Asimily found. Nearly one in five survey respondents still rely on manual reviews, while 15% report having no defined plan to address IoMT vulnerabilities.
Moreover, risk remediation remains fragmented. Only 22% of CISOs said they prioritize vulnerabilities based on device usage and clinical criticality, despite evidence that this approach significantly reduces exposure.

“The first step is accepting that you cannot mitigate every vulnerability, and you don’t need to,” says Asimily CEO Shankar Somasundaram. He notes that severity scores alone fail to reflect real-world risk, which depends heavily on environment and access. In practice, risk varies widely depending on network architecture and controls.

Take an infusion pump with a critical flaw. On a segmented network, risk may be contained. But on a flat network with internet access, the same device becomes a major threat. Somasundaram says hospitals should first identify devices tied to patient care or life safety, then layer in context—network connectivity, access paths, security controls, and potential organizational impact.

“That combination of clinical criticality, device configuration, and network context is what separates the 1% of vulnerabilities that demand immediate action from the 99% that can wait or be mitigated,” he says.

Still, process issues remain a central obstacle. One-third of CISOs cited internal process challenges as the biggest barrier to effective IoMT risk management, often driven by fragmented ownership across teams. In many organizations, clinical engineering manages devices, IT oversees the network, and security teams are engaged late—if at all.

“In most hospitals, no single team owns IoMT security end to end,” Somasundaram says. Rather than restructuring teams, he points to clearer handoffs and shared visibility as the more practical fix. Hospitals need consistent alerting when devices are added to the network, documented tracking of configuration changes, and a shared asset inventory accessible to clinical engineering, IT, and security.

“Having one shared language and one single source of inventory would mitigate a lot of internal process issues,” Somasundaram says.

The findings mirror broader trends across healthcare. Research from Proofpoint and the Ponemon Institute shows that 93% of U.S. healthcare organizations experienced at least one cyberattack last year, with major incidents averaging $3.9 million in costs—underscoring the operational and patient safety stakes.

As IoMT footprints expand, the message from CISOs is clear: without disciplined processes and shared visibility, connected medical devices will remain a difficult—and growing—risk to manage.

U.S. Healthcare Homepage