The second quarter of 2025 saw a modest rebound in hospital mergers and acquisitions (M&A), with Kaufman Hall reporting eight announced deals. However, a closer look reveals a more complex landscape: half of these transactions were divestitures, no mega-mergers occurred, and the average seller generated just $175 million in annual revenue—well below historical averages. This smaller-scale, divestiture-heavy environment may not generate the headlines of past mega-deals, but it presents a quieter, yet critical risk: the proliferation of ghost assets.
Ghost assets refer to devices, systems, and technologies that, while active within hospital networks, do not appear in official inventories. Their invisibility complicates integration, exposes organizations to compliance gaps, and heightens operational risk at a time when financial margins are increasingly thin.
The Growing Challenge of Ghost Assets
Ghost assets are not a new phenomenon, but their presence is growing, particularly as smaller hospitals are often the sellers in today’s M&A landscape. These institutions typically have under-resourced Information Technology (IT) and Health Technology Management (HTM) teams. Documentation practices are inconsistent, procurement processes are decentralized, and inventories may not accurately reflect the technology in use. Consequently, when these facilities are acquired, the new owners inherit a shadow fleet of devices that can lead to significant complications.
The absence of mega-mergers does not equate to reduced risk. Rather, risk becomes fragmented. Numerous small acquisitions, divestitures, and expansions introduce new uncertainties with every transaction. The “chopped-up” nature of the market necessitates the integration of disparate inventories into a coherent and accurate overview.
Particularly concerning are rural facilities that larger systems shed. These hospitals often possess legacy devices, nonstandard technology, and minimal IT governance. While these transactions may appear straightforward on balance sheets, they may conceal unpatched firmware, unsupported operating systems, or undocumented Internet of Medical Things (IoMT) devices. For acquirers, this translates to absorbing not only assets but also potential liabilities.
Compliance Pressures Intensify
Regulatory bodies are tightening their expectations regarding asset visibility and lifecycle governance. The U.S. Department of Health and Human Services (HHS) has identified asset inventory and third-party risk management as priority areas for improvement within its Healthcare and Public Health Cybersecurity Performance Goals. Additionally, guidance from the Food and Drug Administration (FDA) on cybersecurity for medical devices underscores the necessity for transparent device inventories, shifting the expectation from best practice to regulatory requirement.
Organizations navigating mergers or divestitures must recognize that the gap between “known” and “unknown” assets can significantly impact compliance, potentially leading to failed audits and costly penalties.
Ghost assets also hinder the integration process itself. Every unknown device or middleware component increases troubleshooting time. Missing information about patch status, firmware versions, or vendor dependencies can stall vital upgrades to clinical systems. A recent analysis of 2.25 million IoMT devices across 351 healthcare delivery organizations found that 99% harbored devices with known vulnerabilities, and 89% featured insecure internet connectivity. These statistics highlight that ghost assets are not merely accounting discrepancies; they represent active points of failure that can delay integration and create ongoing risks to patient safety.
Addressing the visibility gap is essential for healthcare leaders. The prevalent question remains: where should organizations begin? The answer demands a shift in mindset regarding visibility and accountability across technology environments.
Asset visibility must evolve into a shared responsibility among clinical leaders, compliance officers, and finance executives. Each relies on accurate inventories, whether that understanding is explicit or not. Weak confidence in these data sets compromises the entire operational framework.
Moreover, organizations should build resilience into their integration processes. Each merger or divestiture brings new devices and systems, and asset discovery should not be a one-time project. Instead, it must become a continuous discipline, reinforced by automated discovery, real-time monitoring, and clear governance.
Finally, visibility must be intrinsically linked to compliance and patient safety outcomes. Regulators require more than surface-level documentation; they seek concrete proof that organizations understand their network assets, maintenance protocols, and existing vulnerabilities. Such diligence is vital for safeguarding patients against the hidden risks posed by ghost assets.
As healthcare leaders navigate the complexities of technology as both an enabler and a liability, they must acknowledge that in a climate of leaner margins and increasingly frequent divestitures, asset visibility will determine the success or failure of integrations. Ghost assets represent a significant threat to compliance, budget management, and patient safety. For hospital executives, compliance officers, and IT leaders alike, closing the visibility gap is no longer optional; it is fundamental to developing resilient, integrated, and compliant healthcare systems.
