A new survey by cybersecurity company Asimily has identified that persistent visibility gaps and internal process breakdowns are among the biggest security challenges being faced by hospital chief information security officers (CISOs) in securing connected medical devices and equipment.
Asimily’s State of Cybersecurity Management in 2025 report surveyed dozens of hospital CISOs across North America to determine what they viewed as the biggest challenges and pain points around securing Internet of Medical Things (IoMT) devices.
The report demonstrates that certain shortcomings exacerbate the risk of operational disruption and put patient care at risk.
IoMT devices in hospitals include infusion pumps, vital sign monitoring systems for real-time patient data, and even hand hygiene sensors for infection control. Research has forecast that the average smart hospital could have almost 4,000 IoMT devices by 2026.
In identifying what security protocols they would like to solve in the near-term, 43% of CISO respondents to Asimily’s survey pointed to complete device visibility, followed by ransomware threat detection and compliance automation at 24% and 22%, respectively.
Asked about processes in place to address risks, 18% said they were reliant on manual review while 15% reported having no clear process in place for addressing IoMT vulnerabilities.
Providing their views on the biggest barriers to effective IoMT device risk management, one-third of respondents pointed to internal process issues, followed by lack of visibility at 30%, and data overload at 20%.
The survey’s findings also revealed that fragmentation in how hospital security teams approached vulnerability remediation was a sticking point. Only 22% of hospital CISOs said they based their prioritisation on device usage and criticality – despite one of the most effective methods for mitigating risk being to focus resources on the highest-risk assets, according to Asimily.
Asimily CEO Shankar Somasundaram highlighted that hospital CISOs are challenged with protecting thousands of network-connected devices while navigating organisational silos, data overload, and budget constraints – all while ensuring that patient care isn’t disrupted.
Somasundaram said: “This survey reinforces that visibility is the critical first step, but it has to be paired with the ability to prioritise and act on what you find.
“Hospital cybersecurity leadership needs strategies that can connect the dots between device discovery, risk prioritisation, and remediation (including segmentation), while also working across the clinical engineering, IT, and security teams that share responsibility for these patient-critical systems.”
Proofpoint and the Ponemon Institute also recently released findings from a cybersecurity report. Surveying 677 US-based IT and cybersecurity professionals in healthcare, the data revealed that 93% of organisations experienced at least one cyberattack in the past year, with an average of 43 attacks per organisation, up from 40 in 2024. Meanwhile, the average cost of the most significant attack was $3.9m.
