Healthcare organizations (HCOs) are among the slowest at remediating serious vulnerabilities, leaving systems and data exposed for weeks or even months, according to Cobalt.
The penetration testing firm drew on a decade of internal data, as well as a survey of 500 US security leaders, to produce its State of Pentesting in Healthcare 2025 report.
Its analysis covers four key metrics: frequency of serious vulnerabilities, resolution rate, median time to resolve (MTTR) and the half-life of unresolved findings – i.e., the time to resolve 50% or more of findings.
The report placed the sector firmly in the “struggling” quadrant. Although serious flaws are relatively rare, accounting for only 13% of discovered bugs, resolution rates lag many other industries.
Cobalt found that HCOs:
Remediated only 57% of serious findings, ranking the sector 11 of 13 industries, and way behind first-placed transportation (80%)
Had a MTTR for serious findings of 58 days, ranking the sector 10 of 13 industries. Hospitality led with 20 days
Took 244 days to remediate half of all serious findings, ranking HCOs 11 of 13 industries. Transportation was first with 43 days
Cobalt CTO, Gunter Ollmann, warned that HCOs are unwittingly creating a “dangerous window of exposure” by failing to remediate promptly.
“Our survey data shows that leaders are most worried about genAI and third-party software risk, yet their ability to resolve vulnerabilities lags behind,” he added.
“The takeaway is clear: prevention alone isn’t enough – healthcare must close the remediation gap and address structural barriers like scheduling delays if it wants to safeguard patient trust and maintain compliance.”
Critical Issues Are Being Fixed Fast
The good news is that serious findings in business-critical assets are being addressed quickly by HCOs. The report revealed that 43% resolve these in 1-3 days, and 37% in 4-7 days.
However, this approach may lead to a false sense of security. Cobalt SVP Jason Lamar warned that innocuous-seeming bugs could still have a devastating impact on organizations.
“This focus on SLA-bound fixes can cause other serious, but non-critical, vulnerabilities to linger and contribute to security debt. For example, an unresolved information disclosure vulnerability in a web application could expose to an attacker the server software’s version,” he explained.
“On its own, this doesn’t sound so bad; but armed with this kind information, the attacker could find known vulnerabilities to exploit the software and compromise the application.”
The healthcare sector remains one of the most frequently targeted by data thieves and ransomware actors.
A recent report from Darktrace warned that attacks on the industry intensified in 2024, with exploitation of edge vulnerabilities (36%) the most popular initial access method.