The second quarter of 2025 marked a modest rebound in hospital mergers and acquisitions (M&A), with Kaufman Hall reporting eight announced deals. This figure, while an increase, tells a more complex story: half of these transactions were divestitures, there were no mega-mergers, and the average size of sellers was just $175 million in annual revenue, significantly below historical norms. This trend towards smaller-scale, divestiture-heavy transactions introduces a new risk to healthcare organizations: the proliferation of ghost assets.
Ghost assets are medical devices, systems, and technologies that remain active within hospital networks but are not included in official inventories. Their presence complicates integration, creates compliance gaps, and heightens operational fragility, especially as healthcare margins become increasingly tight.
The Growing Challenge of Ghost Assets
Ghost assets are not a new phenomenon, but their prevalence is increasing, particularly in smaller hospitals. Such facilities, often the sellers in current M&A deals, typically have under-resourced IT and Health Technology Management (HTM) teams. This leads to inconsistent documentation, decentralized procurement processes, and inventories that fail to reflect actual assets. When these hospitals change ownership, the acquiring systems often inherit a “shadow fleet” of devices that are difficult to track.
The absence of mega-mergers does not equate to a reduction in risk. Instead, the fragmented nature of many small acquisitions and divestitures means each transaction introduces new unknowns. For instance, when larger systems divest rural facilities, they often offload hospitals equipped with legacy devices, nonstandard technology, and minimal IT governance. What appears to be a straightforward financial transaction may conceal unpatched firmware, unsupported operating systems, and undocumented Internet of Medical Things (IoMT) devices. For acquirers, this signifies the absorption of not only assets but also potential liabilities.
Increasing Regulatory Scrutiny
Regulatory bodies are intensifying their expectations regarding asset visibility and lifecycle governance. The U.S. Department of Health and Human Services (HHS) has identified asset inventory and third-party risk management as critical areas for improvement within its Healthcare and Public Health Cybersecurity Performance Goals. Additionally, FDA guidelines on cybersecurity for medical devices emphasize the necessity of transparent device inventories, making such visibility a regulatory requirement rather than a mere best practice.
For organizations navigating mergers or divestitures, the disparity between known and unknown assets can significantly impact compliance. A lack of accurate, verifiable inventories can lead to failure in audits and result in costly penalties.
Ghost assets also hinder integration efforts. Each undisclosed sensor, device, or middleware component adds to the troubleshooting workload. When information about patch status, firmware versions, or vendor dependencies is missing, critical clinical system upgrades can be delayed. A recent analysis of 2.25 million IoMT devices across 351 healthcare delivery organizations revealed that 99% contained devices with known vulnerabilities, and 89% exhibited insecure internet connectivity. These findings highlight that ghost assets are not simply administrative oversights; they pose real risks to patient safety and operational efficiency.
Strategies for Closing the Visibility Gap
Healthcare executives frequently ask where to begin in addressing the issue of ghost assets. The solution requires a fundamental shift in how leadership approaches visibility and accountability within technology environments.
Asset visibility must become a collective responsibility rather than a task relegated solely to IT or HTM teams. Clinical leaders, compliance officers, and finance executives all depend on accurate inventories, whether they acknowledge it or not. Weak confidence in asset data means the entire healthcare system operates on shaky assumptions.
Organizations must also cultivate resilience in their integration processes. Every merger or divestiture introduces new devices and systems, making asset discovery an ongoing task rather than a one-time project. This initiative should be supported by automated discovery, real-time monitoring, and robust governance.
Finally, visibility should be directly linked to compliance and patient safety outcomes. Regulators are demanding more than superficial documentation; they expect proof that organizations are aware of their network assets, how they are maintained, and where vulnerabilities exist. Implementing this rigor is essential not only for compliance but also for safeguarding patients against the risks posed by ghost assets.
The Path Forward
Healthcare leaders recognize that technology serves both as an enabler and a potential liability. In an environment characterized by narrow margins, unpredictable policy changes, and a prevalence of divestiture-heavy M&A activity, asset visibility will determine the success or failure of integrations.
Ghost assets represent a technical challenge that undermines compliance, strains budgets, and jeopardizes patient safety. For hospital executives, compliance officers, and IT leaders, addressing the visibility gap is essential. It forms the bedrock of resilient, integrated, and compliant healthcare systems.
Jeff Collins, CEO of WanAware, has over 25 years of experience in driving growth by transforming brands and companies. He emphasizes the importance of effective IT observability solutions, particularly as outdated legacy tools become insufficient. Collins also holds leadership roles at 21Packets and Lightstream and serves on the boards of various technology companies, contributing his expertise in cybersecurity and data transformation.
