What Is Claroty and How Does It Protect Medical Devices (IoMT & Healthcare OT)

Quick Answer: What Is Claroty and How Does it Protect Medical Devices in Healthcare?

The Claroty Platform provides asset visibility and the broadest, built-for-CPS solution, comprising exposure management, network protection, secure access, and threat detection – whether in the cloud with Claroty xDome or on-premise with Claroty Continuous Threat Detection (CTD).  Claroty has a layered, research-driven approach to building confidence in the security posture of connected medical devices, operational technology (OT), and Internet of Medical Things (IoMT) assets across healthcare environments. Based in New York, Claroty, a cyber-physical systems (CPS) security company, builds this trust through deep device visibility, evidence-based risk scoring, and intelligence from its dedicated research arm, Team82.

In practical terms, Claroty's platform is three things working together:

• Visibility into every connected device: Claroty discovers and profiles IoMT, OT, BAS, and IT assets across hospital networks using five complementary methods Claroty Edge, Passive Monitoring, Safe Queries, Project File Analysis, and Ecosystem Enrichment without disrupting clinical operations.
• Risk-based protection for IoMT and OT: Each device receives a dynamic risk score based on known exploited vulnerabilities (KEVs), ransomware linkage, internet exposure, OS lifecycle status, and clinical criticality not just raw CVSS numbers.
• Research-backed intelligence from Team82: Claroty's dedicated CPS research group has disclosed over 650 vulnerabilities (as of mid-2025) and publishes exposure reports analyzing millions of real-world healthcare devices, feeding current threat intelligence directly into Claroty's risk models.

For CISOs and security architects managing thousands of connected devices across healthcare, manufacturing, or industrial environments, Claroty trust provides a foundation for making informed, risk-based decisions about device access, network segmentation, and remediation priorities.

Claroty in a Nutshell: Platform, Healthcare Focus, and Trust Model

What Claroty Does for Healthcare and IoMT

Claroty offers a purpose-built CPS security platform for environments where connected devices directly affect patient safety, manufacturing output, or critical infrastructure uptime. For healthcare specifically, Claroty xDome for Healthcare (built on Medigate technology Claroty acquired in January 2022) secures IoMT devices including infusion pumps, imaging systems, patient monitors, alongside OT and building management systems supporting clinical operations.

Hundreds of organizations deploy Claroty across thousands of sites globally. Gartner and Forrester both recognize Claroty as a leading CPS security platform, and Claroty has earned five consecutive Best in KLAS awards for Healthcare IoT Security (2021–2025), scoring 95.4 out of 100 based on evaluations from 42 healthcare organizations. For healthcare security leaders evaluating device intelligence solutions, these recognitions offer useful third-party validation though any procurement decision should rest on fit-for-purpose evaluation in your specific environment.

How Claroty Defines and Puts Trust Into Practice

Trust in a medical device isn't binary. An MRI system isn't simply "trusted" or "untrusted." Claroty treats trust as a dynamic confidence level reflecting how well a device has been identified, what vulnerabilities it carries, how it communicates, and how critical it remains to patient care or operations.

This model maps directly to Zero Trust and least-privilege principles. Rather than granting broad network access based on which VLAN a device connects to, Claroty's visibility and risk data let enforcement platforms, like Modern Microsegmentation platforms, apply granular, identity-based access controls. A device carrying a KEV linked to active ransomware receives different access than a fully patched device with a clean risk profile even if both sit on the same physical network segment.

Claroty also maintains a publicly accessible Trust Center (claroty.com/trust) documenting how Claroty itself protects customer data, with compliance documentation for ISO 27001, ISO 27701, SOC 2 Type 2, GDPR, and HIPAA. For healthcare organizations running vendor risk assessments, this transparency cuts procurement friction.

How Claroty Relates to Medical Device Security (IoMT & OT)

From Asset Inventory to Risk-Aware Protection

Medical device security starts with knowing what you have. Most healthcare organizations discover 30–50% more connected devices than their CMDB records reflect once they deploy a dedicated CPS visibility platform. Claroty closes this gap by providing continuous, non-disruptive discovery that identifies device type, vendor, model, operating system, firmware version, communication behavior, and clinical function for every connected asset. Modern microsegmentation platforms add another discovery layer — at Main Line Health, Elisity discovered and classified 99% of network devices within four hours of deployment, without downtime or patient network disruption, by ingesting metadata from existing network infrastructure and correlating identity data through its Elisity IdentityGraph™ engine.

What makes Claroty specifically relevant for medical devices versus general IT vulnerability scanning comes down to how well it understands healthcare protocols, OEM constraints, and clinical workflows. Infusion pumps speak proprietary protocols. Imaging systems have multi-year patch cycles governed by FDA validation requirements. Patient monitors can't tolerate aggressive scanning. Claroty's discovery methods accommodate all these realities while still producing granular device profiles that security teams need for informed risk management.

Use Cases Inside a Hospital or Health System

Security leaders and clinical engineering teams apply Claroty's device data across several operational scenarios. Clinical engineering uses Claroty to identify infusion pumps and monitors with known vulnerabilities requiring OEM coordination for patching. Security operations teams rely on risk-scored device profiles to prioritize which internet-facing or laterally exposed devices need segmentation first. Governance and compliance teams use Claroty's reporting to present device risk posture to boards, auditors, and regulators translating raw vulnerability data into business-risk language that drives budget decisions.

Multi-site health systems and integrated delivery networks can aggregate device intelligence across dozens or hundreds of facilities through Claroty, enabling centralized risk management while accommodating site-specific operational requirements.

Alignment With Healthcare Security Guidance

Claroty's capabilities map to core requirements across major healthcare compliance programs. Asset inventory and classification align with proposed HIPAA's updated Security Rule requirements for technology asset inventories and network mapping. Vulnerability management and patch prioritization support HHS 405(d) Health Industry Cybersecurity Practices (HICP) and NIST CSF. Network segmentation and Zero Trust capabilities address requirements from California AB 749, CISA's Zero Trust Maturity Model, and IEC 62443 zone segmentation standards. Secure remote access controls support vendor management requirements across HITRUST CSF, NHS Digital guidance, and Joint Commission standards.

Cross-regulation alignment matters here because most large healthcare organizations must demonstrate compliance across multiple overlapping requirements simultaneously.

How Claroty Discovers and Tracks Medical Device Vulnerabilities

Claroty handles device vulnerabilities in four stages: discover, map, score, and track.

Step 1 Discovering Every Connected Device (IoMT, OT, IT)

Claroty uses five complementary discovery methods. Passive Monitoring inspects network traffic using deep packet inspection across healthcare-specific and proprietary protocols, inferring device type, vendor, model, OS, and communication patterns without generating any network traffic. Safe Queries send targeted, low-impact probes tuned specifically for medical and OT devices to enrich device profiles with firmware versions and enabled services carefully designed to avoid reboots or failures that aggressive IT scanning can cause. Claroty Edge provides a lightweight data collector deployable on existing infrastructure for rapid initial visibility assessments, often producing meaningful results within minutes. Project File Analysis examines engineering configuration files (such as PLC project files) to identify assets and their relationships in OT environments. Ecosystem Enrichment pulls data from existing tools and integrations CMMS, CMDB, biomed inventory systems to augment and validate device profiles with operational context.

Working together, these five methods let Claroty attribute more than 100 characteristics per device in healthcare environments, covering everything from firmware revision to clinical function.

Step 2 Mapping Devices to Known Vulnerabilities

Once Claroty fingerprints devices, correlation against multiple vulnerability data sources begins. External feeds include NVD, ICS-CERT advisories, CERT@VDE, MITRE, and manufacturer-issued security bulletins. Team82's own vulnerability discoveries over 650 CVEs disclosed as of mid-2025 add an intelligence layer beyond public databases. Claroty also integrates with vulnerability management tools like Tenable.io, Tenable.sc, and Nessus, ingesting IT-side scan results and correlating them with CPS-specific risk context.

Here's where Claroty's CPS-aware approach diverges from standard IT vulnerability scanning. Traditional scanners match CVEs against IP addresses and software versions. Claroty matches vulnerabilities against rich device profiles including manufacturer, model, firmware revision, clinical function, and communication behavior producing far fewer false positives and far more actionable results for biomedical and security teams.

Step 3 Risk Scoring, KEVs, and Ransomware Exposure

Raw CVE counts don't help with prioritization. Claroty addresses this by calculating per-device risk scores that incorporate CVSS severity, KEV status (whether a vulnerability appears on CISA's Known Exploited Vulnerabilities catalog), linkage to active ransomware campaigns, internet exposure, network segmentation status, OS lifecycle stage, and clinical criticality.

Team82's "State of CPS Security: Healthcare Exposures 2025" report shows why this scoring approach matters. After analyzing more than 2.25 million IoMT devices and 647,000 OT devices across 351 healthcare organizations, Team82 found KEVs present inside 99% of organizations studied. Among those, 89% had IoMT devices carrying all three high-risk factors: KEVs linked to ransomware with insecure internet connections. Imaging systems (MRI, CT, X-ray, ultrasound) emerged as the highest-risk category, with 28% containing KEVs across 99% of organizations in the dataset.

For CISOs, these findings translate into clear priorities: address KEV-bearing, internet-connected, ransomware-linked devices first, then work outward.

Step 4 Lifecycle and Remediation Tracking

Medical device remediation isn't as simple as pushing a patch. OEM validation requirements, FDA regulatory constraints, clinical scheduling windows, and device utilization patterns all constrain when and how teams can address vulnerabilities. Claroty tracks device location, utilization rates, and lifecycle status so remediation recommendations reflect clinical reality.

Patching isn't feasible for legacy devices with 10–15 year lifecycles. Claroty supports compensating controls by providing device context that enforcement platforms need to apply network-based protections. Microsegmentation solutions fill this gap: device intelligence platforms like Claroty supply the "what and how risky," while enforcement platforms translate that intelligence into least-privilege network policy applied at the network edge, protecting devices that can't protect themselves.

Claroty's Research Engine: Inside Team82

Who Is Team82 and Why Does It Matter?

Team82 serves as Claroty's formal research group, focused on discovering and disclosing vulnerabilities across cyber-physical systems in industrial, healthcare, and commercial environments. Running one of the industry's most extensive CPS testing labs, Team82 works directly with device manufacturers to evaluate product security and coordinate responsible disclosure.

As of mid-2025, Team82 has disclosed over 650 vulnerabilities spanning industrial control systems (ICS/OT), IoMT and healthcare devices, building management systems (BMS), enterprise IoT, and supporting software, including protocol stacks and cloud management platforms. For healthcare organizations, Team82 functions as an early-warning system: researchers often identify and mitigate vulnerabilities before public exploits circulate.

How Team82 Finds and Discloses Vulnerabilities

Team82's vulnerability research follows a structured lifecycle. Target selection focuses on device categories with high operational impact IoMT devices, ICS controllers, BMS systems, and cloud platforms managing them. Discovery involves reverse engineering firmware, analyzing proprietary protocols, and testing against representative devices in controlled lab environments.

When Team82 confirms vulnerabilities, researchers follow a coordinated disclosure policy: findings go privately to vendors first, with public disclosure only after patches or mitigations become available or after reasonable timelines pass. This approach prioritizes ecosystem safety over headline-grabbing exploit publications.

Notable Team82 Findings Affecting Medical Device Security

Team82's healthcare-focused research has produced several findings that directly shape how CISOs prioritize medical device security. Their Healthcare Exposures 2025 report revealed imaging systems as the single highest-risk device category in hospital networks, with ransomware-linked KEVs in 28% of imaging devices across nearly all organizations studied. Beyond strictly clinical devices, Hospital Information Systems (HIS) and OT environments carry significant exposure building management systems controlling HVAC, power, and fire safety in operating rooms can be compromised to disrupt care indirectly.

In the broader CPS space, Team82 has documented vulnerabilities in ICS cloud management platforms (including CODESYS Automation Server and WAGO PLC platforms), demonstrating attack paths connecting cloud infrastructure to field-level devices. Their security reports track an 80% increase in vendor self-disclosures over 18 months, suggesting manufacturer security practices are maturing partly in response to external research pressure.

Public Reports, Tools, and How They Feed Claroty's Platform

Team82 publishes several types of public resources: security reports analyzing vulnerability trends across industrial, healthcare, and commercial connected devices; sector-specific Healthcare Exposures reports drawn from millions of real-world devices; and a public vulnerability dashboard listing Team82-discovered CVEs with affected products, vendors, and remediation guidance.

Team82 also releases open tools for the security community, including protocol stack detectors for EtherNet/IP and CIP, OPC UA fuzzing tools, and MMS protocol implementation detectors. Primarily for security researchers and OT engineers, these tools also benefit healthcare organizations by strengthening the overall security testing ecosystem for CPS devices.

Critically, Team82 discoveries feed directly back into Claroty's platform. New vulnerability intelligence, detection signatures, and risk-scoring adjustments flow from research to product, so customers benefit from the latest findings without waiting for public database updates.

How Claroty upports a Modern Medical Device Security Program

Mapping Claroty to a Healthcare Security Program

A mature medical device security program needs coordinated capabilities across five domains. Claroty's platform covers four: asset inventory and classification (continuous discovery of every IoMT, OT, and IT device), vulnerability management and patch prioritization (risk-scored CVE tracking with KEV and ransomware context), network segmentation support (device context and risk data feeding enforcement platforms), and incident detection and response (anomaly detection, baseline deviation alerts, and contextual triage information).

Policy enforcement and least-privilege access control that fifth domain demands an enforcement layer translating Claroty's device data into actual network controls. Microsegmentation platforms bridge this gap. Solutions like Elisity ingest device attributes from Claroty through bidirectional API integrations, use that enriched context to classify devices into policy groups, and enforce granular access controls directly through existing Cisco, Arista, Juniper and other network switches no agents or new hardware required.

Practical Architecture Patterns for Hospitals

Healthcare organizations typically deploy Claroty in one of three architecture patterns depending on size and complexity.

A single hospital deployment places Claroty sensors on network spans or taps at key aggregation points, with xDome running in the cloud for centralized management. Device data flows into a microsegmentation platform's identity engine, which enforces policies through existing access-layer switches. Community hospitals and single-facility organizations find this pattern works well.

Multi-site health systems and integrated delivery networks deploy sensors at each facility while managing policy centrally through xDome's cloud platform. Device intelligence aggregates across all sites, enabling risk benchmarking between facilities and consistent policy enforcement enterprise-wide. Site-specific policy variations accommodate local operational requirements without fragmenting the security model.

Organizations with mature security operations integrate Claroty with SIEM platforms (Splunk, Microsoft Sentinel), ITSM tools (ServiceNow), and CMMS/biomed inventory systems (TRIMEDX RSQ, Accruent) to create unified workflows for vulnerability tracking, incident response, and device lifecycle management.

Outcomes and Metrics Worth Tracking

Organizations deploying Claroty alongside a microsegmentation enforcement platform should track progress against measurable outcomes:

• Devices discovered vs. CMDB baseline (most organizations find 30–50% more connected devices than previously documented)
• Percentage of high-risk IoMT devices under active segmentation policy (targeting 100% coverage for KEV-bearing devices)
• Mean time from vulnerability disclosure to compensating control deployment
• Reduction in KEV-exposed, internet-connected IoMT devices quarter over quarter
• Segmentation coverage percentage across clinical device categories (imaging, infusion, monitoring, surgical, facilities)
• Audit response time reduction for HIPAA, HITRUST, and state-specific requirements

These metrics give CISOs board-ready evidence that device security investments produce measurable risk reduction.

Comparing Claroty to Other Medical Device Security Approaches

Traditional IT Vulnerability Scanning vs. CPS-Aware Discovery

Standard IT vulnerability scanners like Nessus or Qualys work well for servers, workstations, and cloud infrastructure. They fall short in healthcare because aggressive scanning can disrupt sensitive medical devices, and generic fingerprinting often misidentifies IoMT assets or produces false-positive CVE matches. Claroty's CPS-aware approach uses passive monitoring and safe active queries designed specifically for medical and OT environments, correlating vulnerabilities against rich device profiles rather than simple IP-to-CVE lookups.

Pure IoMT Point Solutions vs. CPS Platforms

Some vendors offer IoMT-only visibility tools focused exclusively on clinical devices. While useful for biomedical engineering teams, these solutions often miss OT systems (HVAC, power, BMS), IT infrastructure, and broader connected devices that collectively make up a hospital's attack surface. Claroty's CPS platform approach covers IoMT, OT, BAS, and IT assets under one roof and that matters because attackers don't respect domain boundaries. A compromised building management system can serve as a pivot point into clinical networks.

Visibility-Only Platforms vs. Visibility Plus Enforcement

Device visibility without enforcement creates a gap. Knowing that 89% of healthcare organizations have devices carrying ransomware-linked KEVs has value, but reducing risk requires translating that knowledge into network controls. Claroty handles visibility and risk scoring. Microsegmentation platforms like Elisity handle enforcement. Together, they create a closed-loop system where device data drives policy, and policy enforcement status feeds back to Claroty for verification. Organizations evaluating Claroty should plan for this integration from day one visibility without enforcement leaves devices exposed.

FAQs: Claroty and Medical Device Security

How does Claroty help with FDA and healthcare cybersecurity compliance?

Claroty supports compliance by providing continuous device inventory (aligning with proposed 2025 HIPAA Security Rule updates), risk-based vulnerability prioritization (matching HHS 405(d) HICP requirements), and device context for network segmentation (as CISA, NIST, and IEC 62443 guidance recommend). Claroty also supports SBOM uploads and VEX files, aligning with FDA post-market cybersecurity guidance for medical device manufacturers.

Can Claroty protect legacy medical devices that can't be patched?

Claroty provides visibility and risk context for legacy devices, but protection requires a network enforcement layer. When patching isn't feasible due to OEM constraints, FDA validation requirements, or unsupported operating systems, compensating controls like network-based microsegmentation restrict device communications to only clinical systems required for operation without installing agents or modifying the device itself.

Does Claroty replace existing firewalls, or work alongside them?

Claroty works alongside existing security infrastructure not as a replacement. Claroty adds CPS-specific visibility and risk intelligence that firewalls, SIEM platforms, and endpoint detection tools lack, and integrates with them through APIs and standard connectors to strengthen the overall security architecture.

How does Team82 differ from internal vendor PSIRT teams?

Vendor PSIRT (Product Security Incident Response) teams focus on their own products. Team82 researches vulnerabilities across the entire CPS ecosystem spanning hundreds of vendors, device types, and protocols and publishes findings benefiting the broader healthcare community. Because Team82 operates independently from device manufacturers, commercial relationships with OEMs don't influence their risk assessments.

How does device intelligence from Claroty become enforceable network policy?

Through native API integrations with microsegmentation platforms. Claroty exports device attributes type, manufacturer, model, OS, firmware, risk score, KEV status, and custom tags to enforcement platforms like Elisity. Those attributes feed into an identity model and serve as match criteria assigning devices into policy groups with least-privilege access rules. Microsegmentation then enforces those rules through existing network switches and shares enforcement status back to Claroty for verification.

Turning Device Intelligence Into Operational Confidence

What healthcare security leaders have been building toward comes down to this: a continuously updated understanding of every connected device's identity, risk, and protection status. Pair that understanding with network-based microsegmentation enforcing identity-based policies without agents or downtime and your organization gains real operational confidence to protect patient care and stay compliant.

For CISOs and security architects managing large device fleets, the playbook is straightforward. Deploy device intelligence for visibility and risk context. Integrate with an enforcement platform that applies least-privilege controls at the network edge. Verify continuously that every discovered device sits under active protection. Every piece of technology you need exists today. Organizations seeing the best outcomes treat visibility and enforcement as a single, integrated architecture not separate projects.

To see how Claroty's device intelligence and Elisity's identity-based microsegmentation work together in practice, download the Claroty-Elisity Integration Brief. Ready to explore what microsegmentation looks like in your environment? Schedule a consultation with our microsegmentation solution experts.