{"id":121495,"date":"2025-09-05T09:44:21","date_gmt":"2025-09-05T09:44:21","guid":{"rendered":"https:\/\/www.newsbeep.com\/ca\/121495\/"},"modified":"2025-09-05T09:44:21","modified_gmt":"2025-09-05T09:44:21","slug":"healthcare-sector-takes-58-days-to-resolve-serious-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/ca\/121495\/","title":{"rendered":"Healthcare Sector Takes 58 Days to Resolve Serious Vulnerabilities"},"content":{"rendered":"<p>Healthcare organizations (HCOs) are among the slowest at remediating serious vulnerabilities, leaving systems and data exposed for weeks or even months, according to Cobalt.<\/p>\n<p>The penetration testing firm drew on a decade of internal data, as well as a survey of 500 US security leaders, to produce its State of Pentesting in Healthcare 2025 report.<\/p>\n<p>Its analysis covers four key metrics: frequency of serious vulnerabilities, resolution rate, median time to resolve (MTTR)\u00a0and the half-life of unresolved findings \u2013\u00a0i.e., the time to resolve 50% or more of findings.<\/p>\n<p>The report placed the sector firmly in the \u201cstruggling\u201d quadrant. Although serious flaws are relatively rare, accounting for only 13% of discovered bugs, resolution rates lag many other industries.<\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/clinical-data-stolen-kidney\/\" target=\"_blank\" rel=\"nofollow noopener\">Read more on healthcare breaches: Clinical Data Stolen in Cyber-Attack on Kidney Dialysis Provider DaVita<\/a><\/p>\n<p>Cobalt found that HCOs:<\/p>\n<p>\tRemediated only 57% of serious findings, ranking the sector 11 of 13 industries, and way behind first-placed transportation (80%)<br \/>\n\tHad a MTTR for serious findings of 58 days, ranking the sector 10 of 13 industries. Hospitality led with 20 days<br \/>\n\tTook 244 days to remediate half of all serious findings, ranking HCOs 11\u00a0of 13 industries. Transportation was first with 43 days<\/p>\n<p>Cobalt CTO, Gunter Ollmann, warned that HCOs are unwittingly creating a \u201cdangerous window of exposure\u201d by failing to remediate promptly.<\/p>\n<p>\u201cOur <a href=\"https:\/\/resource.cobalt.io\/state-of-pentesting-healthcare-2025\" target=\"_blank\" rel=\"nofollow noopener\">survey data<\/a> shows that leaders are most worried about genAI and third-party software risk, yet their ability to resolve vulnerabilities lags behind,\u201d he added.<\/p>\n<p>\u201cThe takeaway is clear: prevention alone isn\u2019t enough \u2013 healthcare must close the remediation gap and address structural barriers like scheduling delays if it wants to safeguard patient trust and maintain compliance.\u201d<\/p>\n<p>Critical Issues Are Being Fixed Fast<\/p>\n<p>The good news is that serious findings in business-critical assets are being addressed quickly by HCOs. The report revealed that 43% resolve these in 1-3 days, and 37% in 4-7 days. \u00a0<\/p>\n<p>However, this approach may lead to a false sense of security. Cobalt SVP Jason Lamar warned that innocuous-seeming bugs could still have a devastating impact on organizations.<\/p>\n<p>\u201cThis focus on SLA-bound fixes can cause other serious, but non-critical, vulnerabilities to linger and contribute to security debt. For example, an unresolved information disclosure vulnerability in a web application could expose to an attacker the server software\u2019s version,\u201d he explained.<\/p>\n<p>\u201cOn its own, this doesn\u2019t sound so bad; but armed with this kind information, the attacker could find known vulnerabilities to exploit the software and compromise the application.\u201d<\/p>\n<p>The healthcare sector remains one of the most frequently targeted by data thieves and ransomware actors.<\/p>\n<p>A <a href=\"https:\/\/www.infosecurity-magazine.com\/news\/healthcare-cyber-attacks-intensify\/\" target=\"_blank\" rel=\"nofollow noopener\">recent report<\/a>\u00a0from Darktrace warned that attacks on the industry intensified in 2024, with exploitation of edge vulnerabilities (36%) the most popular initial access method.<\/p>\n","protected":false},"excerpt":{"rendered":"Healthcare organizations (HCOs) are among the slowest at remediating serious vulnerabilities, leaving systems and data exposed for weeks&hellip;\n","protected":false},"author":2,"featured_media":121496,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[49,48,84,392],"class_list":{"0":"post-121495","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-healthcare","8":"tag-ca","9":"tag-canada","10":"tag-health","11":"tag-healthcare"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/posts\/121495","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/comments?post=121495"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/posts\/121495\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/media\/121496"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/media?parent=121495"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/categories?post=121495"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/ca\/wp-json\/wp\/v2\/tags?post=121495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}