SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Realistic illustration hospital building digital shield cracks healthcare data security vulnerabilities
#
Data Protection
#
DevOps
#
Advanced Persistent Threat Protection

Healthcare sector slow to fix vulnerabilities despite strong prevention

Thu, 4th Sep 2025
Author image
By Catherine Knowles, Journalist

A new report has found that while healthcare organisations are effective at preventing serious security vulnerabilities, they often take considerably longer than other industries to resolve these issues once identified, leaving sensitive data at risk for extended periods.

The State of Pentesting in Healthcare 2025, released by Cobalt, draws from ten years of penetration testing data across thirteen industries, complemented by survey responses from five hundred security leaders and practitioners at organisations ranging from five hundred to ten thousand employees. The findings highlight a paradox in healthcare security performance: comparatively strong prevention of major vulnerabilities, but slow remediation rates.

Resolution delays

The report details that only 13.3% of pentest findings within healthcare qualify as "serious", ranking the industry sixth-best for the frequency of critical vulnerabilities. However, it also reveals that healthcare resolves just 57.4% of these serious findings, placing it eleventh out of thirteen industries measured. By contrast, the transportation sector leads in this regard, resolving 80.2% of serious issues.

In terms of resolution speed, the median time to resolve serious findings within healthcare is 58 days, ranking tenth out of the thirteen industries. Hospitality companies resolve such vulnerabilities far more quickly, in just 20 days median time.

Perhaps most notably, the report's analysis of the "half-life" of unresolved findings - the time it takes to resolve half of outstanding serious issues - pegs healthcare's figure at 244 days. This lengthy timeframe puts the sector near the bottom of the rankings, placing eleventh, and far behind the top-performing industry where the half-life is just 43 days.

Backlogs and prioritisation

The report notes that the main backlog in the healthcare sector accrues among lower-priority issues, while business-critical assets are generally addressed faster. Almost 40% of healthcare organisations stipulate service-level agreement (SLA) deadlines of three days or less for resolving serious findings in business-critical assets, and another 40% require resolution in four to fourteen days. Accordingly, survey data show that 43% of healthcare organisations do resolve critical findings in one to three days, with another 37% doing so in four to seven days, and 14% within eight to fourteen days.

Despite this prioritisation, backlogs continue to grow, particularly for vulnerabilities judged less urgent. Healthcare leaders surveyed by Cobalt identified generative artificial intelligence and third-party software as their fastest-growing security concerns, with 71% citing genAI and 68% pointing to third-party software risks. Attacks involving data exposure, insider threats, and phishing were also highlighted.

Expert commentary

"The healthcare industry has made progress in reducing the overall frequency of critical vulnerabilities, but delays in remediation create a dangerous window of exposure," said Gunter Ollmann, CTO at Cobalt. "Our survey data shows that leaders are most worried about genAI and third-party software risk, yet their ability to resolve vulnerabilities lags behind."
"This gap is especially alarming given the ongoing wave of ransomware attacks targeting healthcare - such as the 2025 breach at DaVita, where over 900,000 patients' personal and clinical data were compromised. The takeaway is clear: prevention alone isn't enough - healthcare must close the remediation gap and address structural barriers like scheduling delays if it wants to safeguard patient trust and maintain compliance."

Integrating offensive security practices

Cobalt's analysis underscores that integrating offensive security measures, including penetration testing, into compliance and software development workflows can help healthcare organisations address both new and longstanding threats. By simulating real-world attacker behaviour and continuously testing their systems, organisations can not only detect vulnerabilities earlier but also reduce remediation timelines and prevent the accumulation of unresolved issues.

The research for this year's report was conducted with input from Emerald Research, an independent third-party research firm, and included a representative sample of senior security managers and practitioners across the sector. The combination of historical penetration testing data and current survey insights is designed to provide a holistic view of the state of cyber security in healthcare for 2025.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Tenable hack of Copilot AI agent exposes fraud risks
Agentic AI surge in 2026 sparks fresh cyber security risks
AI-driven cyber threats spur surge in intel spending
TXP warns on low code, AI overload & supplier risk in 2026
BlueCat predicts AI will reshape networks & security

Top stories

Keeper links identity security alerts into ServiceNow
AI speeds coding but costs Singapore teams a day weekly
Safe AI coaches staff to cut cyber attack errors
Oxylabs experts forecast AI bubble risks & browser wars
AI reshapes cyber threats as experts warn on automation