The second quarter of 2025 witnessed a slight uptick in hospital mergers and acquisitions (M&A), with Kaufman Hall reporting eight announced deals. However, an analysis of the landscape reveals a more complex scenario: half of these transactions were divestitures, no significant mega-mergers occurred, and the average seller generated only $175 million in annual revenue—far below historical averages. This smaller and less impactful deal environment raises concerns about the emergence of “ghost assets,” which pose a serious threat to compliance and integration in healthcare systems.
The issue of ghost assets, which include devices and technologies not recorded in official inventories yet remain operational, is not new but is becoming increasingly prevalent. Often, smaller hospitals are the sellers in these transactions and typically have under-resourced IT and Health Technology Management (HTM) teams. As a result, documentation is frequently inconsistent, procurement decentralized, and inventories outdated. When these facilities are acquired, the new owners are faced with a hidden collection of operational devices, creating significant challenges.
The fragmentation of risk due to numerous small acquisitions and divestitures amplifies the problem. Each transaction introduces a new set of unknowns, necessitating the integration of disparate inventories into a cohesive and accurate overview. Rural hospitals, often discarded by larger healthcare systems, frequently possess legacy devices and nonstandard technology with minimal governance. What may appear to be a straightforward financial transaction can conceal outdated firmware, unsupported operating systems, and undocumented Internet of Medical Things (IoMT) devices. For acquiring organizations, this translates to inheriting not just assets but also potential liabilities.
As the healthcare landscape evolves, regulatory scrutiny is intensifying. The U.S. Department of Health and Human Services (HHS) has highlighted the importance of asset visibility and third-party risk management in its Healthcare and Public Health Cybersecurity Performance Goals. Additionally, the U.S. Food and Drug Administration (FDA) has issued guidance emphasizing that transparent device inventories are now a regulatory necessity rather than a mere best practice. Consequently, organizations navigating mergers and divestitures must recognize that the gap between known and unknown assets can significantly impact audit outcomes, potentially leading to costly penalties.
The integration process is also adversely affected by ghost assets. Each unidentified sensor or device introduces additional troubleshooting complexities. Missing information such as patch status, firmware versions, or vendor dependencies can delay critical clinical system upgrades. A recent evaluation of 2.25 million IoMT devices across 351 healthcare organizations revealed that 99% contained devices with known vulnerabilities, while 89% exhibited insecure internet connectivity. These figures indicate that ghost assets are not merely administrative oversights; they represent active risks that hinder integration, complicate incident response, and jeopardize patient safety.
Healthcare executives frequently inquire about how to address the issue of ghost assets. The solution requires a fundamental shift in how organizations approach visibility and accountability in their technology environments. Asset visibility should be a shared responsibility across the organization, engaging clinical leaders, compliance officers, and finance executives. Each relies on accurate inventories, and weak confidence in these data undermines the entire operation.
Organizations must also build resilience into their integration processes. Each merger or divestiture introduces new devices and systems, necessitating a continuous approach to asset discovery. This should involve automated discovery, real-time monitoring, and robust governance practices rather than treating asset visibility as a one-time initiative.
Finally, the connection between visibility and compliance must be clearly established. Regulators expect organizations to demonstrate comprehensive knowledge of their networks, including how assets are maintained and where vulnerabilities lie. This rigorous approach is essential to safeguarding patients from the risks posed by ghost assets.
As the healthcare sector adapts to a landscape characterized by tighter margins and increasing regulatory demands, asset visibility is critical. Ghost assets not only create technical challenges but also threaten compliance, strain budgets, and endanger patient safety. For hospital executives, compliance officers, and IT leaders, addressing the visibility gap has become imperative. It is not just about compliance; it is about building resilient, integrated, and safe healthcare systems.
Jeff Collins, CEO of WanAware, has over 25 years of experience in driving growth and transformation across various organizations. Recognizing the critical need for effective IT observability solutions, he founded WanAware to address the limitations of outdated tools in healthcare technology management. Collins also holds leadership positions at 21Packets and Lightstream, and he serves on several technology company boards, sharing his expertise in cybersecurity, AI, and data transformation.
