In the current U.S. healthcare cyber threat landscape, data breaches are occurring at an unprecedented pace. From ransomware campaigns targeting hospital networks to phishing schemes compromising patient records, the scale of attacks is growing—and the consequences are becoming more severe. While many organizations focus on email security and access controls, one critical vulnerability often remains under-addressed: the connected devices and underlying infrastructure that power modern healthcare.

The Expanding Internet of Medical Things (IoMT)

Healthcare providers now rely on a vast network of connected devices—from MRI machines and infusion pumps to wearable monitors and cloud-linked imaging systems. Collectively known as the Internet of Medical Things (IoMT), these devices improve patient outcomes and streamline operations. However, many are shipped with weak default credentials, outdated firmware, or insufficient encryption—making them easy targets for cybercriminals.

In one recent case, security researchers identified more than 1.2 million internet-connected medical devices worldwide that were leaking sensitive information, including diagnostic images and lab results. Over 174,000 of these vulnerable devices were located in the United States, highlighting the scale of the domestic risk.

Legacy Systems and Infrastructure Weaknesses

Many healthcare facilities still operate on legacy systems that are no longer supported by vendors. These outdated platforms often lack modern security features, making them incompatible with current HIPAA Security Rule best practices. Worse, replacing or upgrading them can require substantial capital investments—something many organizations delay due to budget constraints.

Unsupported operating systems, unpatched software, and aging network hardware introduce significant vulnerabilities. According to the HIPAA Journal, infrastructure misconfigurations and insufficient network segmentation have been major contributing factors in several large-scale breaches in recent years.

Operational Constraints and Security Gaps

Healthcare environments present unique challenges for IT and security teams. Devices such as ventilators, infusion pumps, and imaging equipment are often in constant use, making it difficult to take them offline for updates or security patching. In many cases, these devices are also managed by third-party vendors, creating a complex patchwork of responsibilities and potential blind spots in monitoring and incident response.

Even when patching is possible, compatibility concerns can delay deployments. A critical system outage in a clinical environment is not an option, which can result in prolonged exposure to known vulnerabilities.

Strategic Recommendations for Healthcare Leaders

• Implement Comprehensive Asset Inventories: Maintain real-time visibility into all connected medical devices, including vendor-managed assets.
• Enforce Strong Authentication: Remove default credentials and implement unique, complex passwords across all devices. Where possible, require multi-factor authentication for administrative access.
• Prioritize Network Segmentation: Separate IoMT devices from core hospital networks to limit lateral movement in the event of a breach.
• Engage in Proactive Vendor Management: Hold suppliers accountable for timely security updates, and require documented patching processes.
• Schedule Controlled Maintenance Windows: Plan regular updates and security checks in a way that minimizes disruption to patient care.

The Boardroom Imperative

For healthcare executives, devices and infrastructure security is no longer a purely technical concern—it is a board-level issue with direct implications for patient safety, operational continuity, and regulatory compliance. A single unprotected imaging server or outdated switch can become the entry point for an attack that disrupts care delivery and triggers costly HIPAA violation penalties.

Leaders should ensure that cybersecurity strategy encompasses the full scope of the healthcare ecosystem, including both traditional IT assets and specialized clinical technology. As the IoMT continues to expand, securing these devices is not just a compliance requirement—it’s a fundamental component of resilient healthcare operations.