Healthcare Sector: 58 Days to Patch Critical Security Flaws
▼ Summary
– Healthcare organizations are among the slowest at remediating serious vulnerabilities, leaving systems exposed for extended periods.
– HCOs remediate only 57% of serious findings and take a median of 58 days to resolve them, ranking poorly among industries.
– The sector is considered “struggling” despite serious flaws being relatively rare, accounting for just 13% of discovered bugs.
– While critical issues are fixed quickly, this focus may create a false sense of security and allow other serious vulnerabilities to linger.
– Healthcare remains a top target for cyberattacks, with exploitation of edge vulnerabilities being a common initial access method in 2024.
Healthcare organizations consistently rank among the slowest when it comes to patching serious security vulnerabilities, often leaving sensitive systems and patient data exposed for extended periods. According to a recent analysis by penetration testing firm Cobalt, these delays create significant risks in an industry already under intense threat from cybercriminals.
The findings come from Cobalt’s State of Pentesting in Healthcare 2025 report, which draws on ten years of internal data and a survey of 500 U.S. security leaders. The study evaluated four core metrics: the frequency of serious vulnerabilities, resolution rates, median time to resolve (MTTR), and the half-life of unresolved findings, meaning how long it takes to address at least half of all identified issues.
Healthcare landed squarely in the “struggling” category. While serious flaws are relatively uncommon, making up just 13% of all discovered vulnerabilities, the sector’s remediation performance lags far behind most other industries.
Key statistics from the report reveal troubling patterns. Healthcare organizations remediated only 57% of serious findings, placing the sector 11th out of 13 industries. Even more concerning, the median time to resolve serious vulnerabilities reached 58 days, ranking 10th overall. Perhaps most alarming, it took an average of 244 days to remediate half of all serious findings, again placing healthcare near the bottom of the list.
Gunter Ollmann, CTO at Cobalt, emphasized that these delays unintentionally create a “dangerous window of exposure.” He noted that while healthcare leaders express concern over emerging risks like generative AI and third-party software, their ability to resolve known vulnerabilities remains inadequate. “Prevention alone isn’t enough,” Ollmann stressed. “Healthcare must close the remediation gap and tackle structural barriers, like scheduling delays, to protect patient trust and maintain compliance.”
There is some encouraging news. When it comes to business-critical assets, healthcare organizations act much more swiftly. The report indicates that 43% of serious flaws in these systems are resolved within 1–3 days, and another 37% are patched within a week.
However, this selective urgency may foster a false sense of security. Jason Lamar, SVP at Cobalt, warned that focusing only on SLA-bound fixes can allow other serious, though less immediately critical, vulnerabilities to persist. “An unresolved information disclosure flaw might seem minor,” he explained, “but it can give attackers just enough information to identify and exploit known software weaknesses, leading to full system compromise.”
This warning is especially relevant given that healthcare remains a prime target for ransomware groups and data thieves. A recent Darktrace report confirmed that attacks on the industry intensified throughout 2024, with exploitation of edge vulnerabilities emerging as the most common initial attack method, accounting for 36% of breaches.
(Source: Info Security)
