The second quarter of 2025 saw a modest rebound in hospital mergers and acquisitions (M&A), with Kaufman Hall reporting eight announced deals. However, the landscape remains complex: half of these transactions were divestitures, there were no mega-mergers, and the average seller size was just $175 million in annual revenue, significantly lower than historical averages. This shift towards smaller-scale, divestiture-heavy deals introduces a pressing concern: the prevalence of ghost assets—devices and technologies that exist outside official inventories yet remain active within hospital networks.
Ghost assets complicate compliance and operational integrity, exposing healthcare organizations to vulnerabilities at a time when maintaining tight margins is essential. The challenge is particularly acute for smaller hospitals, which often serve as the sellers in these transactions. Typically, these facilities have under-resourced IT and Health Technology Management (HTM) teams, leading to inconsistent documentation and decentralized procurement processes. This results in acquiring systems inheriting a “shadow fleet” of devices that complicate integration efforts.
Understanding the Risks of Divestitures
The lack of mega-mergers does not equate to a decrease in risk. Instead, the fragmentation of smaller acquisitions and divestitures adds layers of uncertainty. Each transaction requires healthcare organizations to piece together disparate inventories into a cohesive understanding of assets.
For instance, as larger systems shed rural facilities, the hospitals often come equipped with legacy devices, nonstandard technologies, and minimal IT governance. What may appear to be a straightforward transaction can conceal significant liabilities, including unpatched firmware and unsupported operating systems. For acquirers, this means not only absorbing assets but also the potential risks associated with them.
Regulatory Pressures and Compliance Challenges
As the landscape evolves, regulatory bodies are tightening their expectations regarding visibility and lifecycle governance. The U.S. Department of Health and Human Services (HHS) has established healthcare cybersecurity performance goals that emphasize asset inventory and third-party risk management as critical areas for improvement. Additionally, the Food and Drug Administration (FDA) has issued guidance on cybersecurity for medical devices, mandating transparency in device inventories.
Accurate and verifiable inventories are now a regulatory necessity rather than an optional best practice. For organizations navigating mergers or divestitures, the disparity between known and unknown assets can be the decisive factor in passing audits or facing costly penalties.
Ghost assets further complicate integration processes. Each unknown sensor, device, or middleware component adds to troubleshooting overhead. Missing details such as patch status or firmware versions can stall critical clinical systems during necessary upgrades. A recent analysis of 2.25 million Internet of Medical Things (IoMT) devices across 351 healthcare delivery organizations revealed that 99% had devices with known vulnerabilities, while 89% exhibited insecure internet connectivity. These statistics highlight that ghost assets are not merely accounting oversights; they pose active risks that delay integration and jeopardize patient safety.
Closing the visibility gap is essential for healthcare executives. The need for a strategic shift in thinking about technology environments is paramount. Asset visibility must become a shared responsibility, engaging clinical leaders, compliance officers, and finance executives. If trust in data is compromised, the entire operational framework is built on shaky assumptions.
Organizations must also build resilience into their integration processes. Each merger or divestiture introduces new devices and systems, necessitating an ongoing commitment to asset discovery, supported by automated monitoring and robust governance practices. Visibility should be directly tied to compliance and patient safety outcomes, ensuring that organizations can provide evidence of their network’s assets, maintenance, and vulnerabilities.
Healthcare leaders recognize that technology can be both a facilitator and a liability. In an environment characterized by tighter margins and a focus on divestitures, the ability to achieve clear asset visibility will determine the success or failure of integrations. Ghost assets not only disrupt compliance but also strain budgets and compromise patient safety. For executives, compliance officers, and IT leaders, addressing the visibility gap is no longer optional; it is foundational to maintaining resilient, integrated, and compliant healthcare systems.
About Jeff Collins: Jeff Collins, CEO of WanAware, has over 25 years of experience in driving growth through transformative strategies. Recognizing a gap in effective IT observability solutions, he founded WanAware to provide modern resolutions to outdated legacy tools. Collins also holds leadership roles at 21Packets as Chairman and at Lightstream as Chief Strategy Officer, and he serves on the boards of multiple technology companies, enhancing his expertise in cybersecurity and data transformation.
