The second quarter of 2025 marked a slight recovery in the landscape of hospital mergers and acquisitions (M&A), with Kaufman Hall reporting a total of eight announced deals. However, a closer examination reveals a more complex scenario. Notably, half of these transactions were divestitures, and the absence of any mega-mergers highlights a shift toward smaller-scale operations, with the average seller generating only $175 million in annual revenue—significantly below historical averages.
This trend, characterized by numerous smaller acquisitions and divestitures, introduces an emerging risk: ghost assets. These assets, which consist of devices and technologies that remain operational but are unaccounted for in official inventories, pose serious challenges to compliance and integration efforts within healthcare organizations.
The Escalating Challenge of Ghost Assets
Ghost assets have long been a concern, yet their prevalence is increasing. Smaller hospitals, often the sellers in current M&A activities, typically operate with under-resourced IT and Health Technology Management (HTM) teams. As a result, their documentation practices are often inconsistent, with procurement processes being decentralized. This lack of oversight means that when these facilities are sold, the acquiring organizations inherit what can only be described as a shadow fleet of devices.
The fragmentation of risk in the absence of mega-mergers is significant. Each small acquisition or divestiture adds layers of uncertainty. For instance, rural hospitals that are offloaded by larger systems frequently contain outdated devices, nonstandard technologies, and insufficient IT governance. What may appear to be straightforward balance sheet transactions can obscure critical issues such as unpatched firmware and undocumented Internet of Medical Things (IoMT) devices. Consequently, acquirers are not merely taking on assets; they are also assuming potential liabilities.
Compliance and Integration Risks Intensify
As the regulatory landscape tightens, healthcare organizations face increasing pressure to maintain visibility and governance over their asset lifecycles. The U.S. Department of Health and Human Services’ (HHS) Healthcare and Public Health Cybersecurity Performance Goals have underscored asset inventory and third-party risk management as essential areas for improvement. Additionally, recent guidance from the U.S. Food and Drug Administration (FDA) regarding cybersecurity for medical devices has made transparent device inventories a regulatory necessity rather than merely a best practice.
With compliance requirements becoming more stringent, the gap between known and unknown assets can significantly impact an organization’s ability to pass audits. The risks associated with ghost assets extend beyond compliance; they also impede integration efforts. Every unidentified sensor or device adds to the complexity of troubleshooting. When essential information such as patch statuses, firmware versions, or vendor dependencies are missing, even routine upgrades can lead to delays in critical clinical systems.
A recent analysis of 2.25 million IoMT devices across 351 healthcare organizations revealed alarming statistics: 99% of these devices had known vulnerabilities, while 89% exhibited insecure internet connectivity. These findings illustrate that ghost assets are not merely administrative oversights; they represent active points of failure that can delay integration processes and pose ongoing risks to patient safety.
Closing the visibility gap is crucial for healthcare executives navigating this complex landscape. Conversations with industry leaders reveal a common question: where should organizations begin? The answer requires a fundamental shift in the perception of visibility and accountability across all technology environments.
First, asset visibility must be recognized as a shared responsibility, rather than solely the domain of IT or HTM teams. Clinical leaders, compliance officers, and finance executives all depend on accurate inventories. If confidence in this data is compromised, it undermines the entire operational framework.
Second, organizations must integrate resilience into their approaches. Each merger or divestiture introduces new devices and systems, necessitating a continuous process of asset discovery. This should not be treated as a one-time initiative but requires ongoing support through automated discovery, real-time monitoring, and clear governance.
Lastly, visibility must directly correlate with compliance and patient safety outcomes. Regulators demand more than superficial documentation; they expect demonstrable proof that organizations understand their network assets, how they are maintained, and where vulnerabilities exist. This rigorous approach is essential not only for regulatory compliance but also for safeguarding patient safety against the risks posed by ghost assets.
As healthcare leaders grapple with the dual nature of technology as both an enabler and a potential liability, the importance of asset visibility becomes increasingly apparent. In an environment characterized by tighter margins and a proliferation of divestitures, the ability to maintain clear visibility will ultimately determine the success or failure of integrations.
Ghost assets present not just a technical challenge but a broader threat to compliance, financial stability, and patient safety. For executives, compliance officers, and IT leaders, addressing the visibility gap is no longer optional; it is a foundational requirement for fostering resilient and compliant healthcare systems.
About Jeff Collins: Jeff Collins is the CEO of WanAware and has extensive experience, spanning over 25 years, in driving profitable growth through strategic transformations. He founded WanAware in 2020 to address the need for effective IT observability solutions amid the limitations of outdated tools. Collins also holds leadership positions at 21Packets and Lightstream, contributing his expertise in cybersecurity, artificial intelligence, networking, and data transformation.
