The second quarter of 2025 marked a modest increase in hospital mergers and acquisitions (M&A), with Kaufman Hall reporting eight announced deals. This uptick, however, is accompanied by a troubling trend: half of these transactions were divestitures, and the average seller size was only $175 million in annual revenue, significantly lower than historical averages. While the absence of mega-mergers may suggest a less volatile environment, the reality is that these smaller-scale deals introduce a hidden risk known as ghost assets.
Ghost assets refer to devices, systems, and technologies that remain operational within hospital networks but are not reflected in official inventories. These assets complicate integrations, expose organizations to compliance risks, and heighten operational fragility at a time when maintaining margins is critical.
The Compounding Issue of Ghost Assets
Ghost assets are not a new phenomenon, yet they are increasingly prevalent. Smaller healthcare facilities, often the sellers in current M&A activity, typically possess under-resourced IT and Health Technology Management (HTM) teams. Inconsistent documentation and decentralized procurement processes lead to inventories that do not accurately represent reality. Consequently, when these facilities change ownership, acquiring organizations inherit a shadow fleet of devices that can pose unforeseen challenges.
The divestiture trend exacerbates this issue. While the lack of mega-mergers might suggest reduced risk, it actually fragments risk across numerous smaller transactions. Each acquisition and divestiture introduces new complexities, requiring organizations to integrate disparate inventories into a cohesive, accurate picture. This is particularly concerning for rural hospitals divested by larger systems, which often harbor legacy devices and minimal IT governance. What may appear as a straightforward financial transaction can conceal unpatched firmware, unsupported operating systems, or undocumented Internet of Medical Things (IoMT) devices, turning assets into potential liabilities for the acquirers.
Rising Compliance Pressures
Regulatory scrutiny is intensifying as agencies seek greater visibility and lifecycle governance. The U.S. Department of Health and Human Services (HHS) has identified asset inventory and third-party risk management as primary areas for improvement in its Healthcare and Public Health Cybersecurity Performance Goals. Additionally, guidance from the U.S. Food and Drug Administration (FDA) emphasizes the importance of transparent device inventories, mandating practices like software bills of materials (SBOMs) as essential for compliance.
For organizations engaged in mergers or divestitures, the gap between known and unknown assets could determine the outcome of audits, impacting their financial standing and reputation.
Ghost assets not only challenge compliance efforts but also hinder integration processes. Every unidentified sensor or device introduces additional troubleshooting requirements. Missing information regarding patch status, firmware versions, or vendor dependencies can stall necessary upgrades for critical clinical systems. A recent analysis of over 2.25 million IoMT devices across 351 healthcare delivery organizations revealed that 99% of these devices contained known vulnerabilities, while 89% exhibited insecure internet connectivity. These findings highlight that ghost assets are not merely administrative oversights but serious risks that impede integration, complicate incident response, and threaten patient safety.
Closing the visibility gap is vital for healthcare organizations. Engaging in conversations with executives, a common question arises: where should we begin? Simply implementing another checklist is insufficient. A comprehensive reevaluation of visibility and accountability across technology environments is necessary.
First, asset visibility must become a collective responsibility shared among clinical leaders, compliance officers, and finance executives. All stakeholders rely on accurate inventories, often without realizing it. If confidence in this data is lacking, the entire healthcare system operates on flawed assumptions.
Second, organizations must foster resilience in their integration processes. Each merger or divestiture introduces new devices and systems, necessitating ongoing asset discovery supported by automated monitoring and transparent governance rather than treating it as a one-off project.
Lastly, the relationship between visibility and compliance must be clearly defined, linking it directly to patient safety outcomes. Regulatory bodies are demanding more than surface-level documentation; they require evidence that organizations understand their network composition, including maintenance practices and existing vulnerabilities. Such rigor not only fulfills compliance requirements but also protects patients from the risks posed by ghost assets.
As healthcare leaders navigate a landscape characterized by leaner margins, unpredictable policy changes, and a prevalence of divestitures, the visibility of assets will increasingly determine the success of integrations. Ghost assets present not only a technical challenge but also undermine compliance efforts, strain budgets, and jeopardize patient safety. For executives, compliance officers, and IT leaders, addressing the visibility gap is no longer optional; it is foundational for building resilient, integrated, and compliant healthcare systems.
Jeff Collins, CEO of WanAware, possesses over 25 years of experience in driving profitable growth through transformative strategies. His vision for improving IT observability emerged from recognizing the limitations of outdated tools. Collins holds leadership roles at other technology firms and is active on various boards, contributing his expertise in cybersecurity, artificial intelligence, networking, and data transformation.
