Healthcare’s Achilles’ Heel: Slow Vulnerability Fixes Leave Sensitive Data Exposed

Healthcare organizations are the tortoises of vulnerability remediation. According to Cobalt’s State of Pentesting in Healthcare 2025 report, they leave serious security flaws open for ages. While they quickly tackle critical issues in business assets, other vulnerabilities linger like that one sock behind the dryer. It’s time to close the remediation gap!

3P
Published: September 4, 2025 8:54 amAdded: September 4, 2025 at 2:03 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Imagine a hospital where the only thing slower than the line for the cafeteria is the response time to patching vulnerabilities. Yep, that’s the healthcare sector’s cybersecurity approach in a nutshell: a leisurely stroll when they should be sprinting. It’s like they think data breaches come with a “take a number” system. Get your act together, HCOs, we’re not asking for a miracle cure here, just timely software patches!

Key Points:

  • Healthcare organizations are lagging in remediating serious vulnerabilities, taking up to 58 days, which is over twice as long as the hospitality sector.
  • Only 57% of serious findings are remedied, placing healthcare near the bottom among 13 industries.
  • The time taken to resolve half of all serious findings in healthcare is a whopping 244 days.
  • Business-critical assets are prioritized, with 43% of vulnerabilities resolved within 1-3 days.
  • The healthcare sector is under constant threat from data thieves and ransomware, with edge vulnerabilities being a major target.

Doctor, I Think My Security is Broken!

In a new report by Cobalt, healthcare organizations (HCOs) are shown to be laggards when it comes to addressing serious vulnerabilities. If cybersecurity was a race, HCOs are still stretching while other sectors have crossed the finish line. Only 13% of discovered bugs are serious, but just like a toddler with a crayon, it only takes one to ruin the walls. While the transportation sector zips ahead with an 80% resolution rate for serious findings, healthcare is stuck in the slow lane at 57%.

Paging Dr. Slowpoke, You Have a Vulnerability Waiting

It’s one thing to have vulnerabilities, but it’s another to let them marinate for 244 days before even half are fixed. That’s like setting a reminder to take out the trash next year. The healthcare sector sits comfortably in the “struggling” quadrant, sandwiched between outdated antivirus software and that one IT guy who thinks “password” is a secure login choice. The sector’s MTTR (Median Time to Resolve) for serious findings is 58 days, placing them 10th out of 13 industries. Meanwhile, the hospitality industry is practically speed dating vulnerabilities with a 20-day MTTR.

Emergency Room for Cybersecurity

The silver lining in this digital disaster is that when it comes to business-critical assets, HCOs can transform into cybersecurity ninjas. A swift 43% of serious findings get resolved in just 1-3 days. But just like a hospital that triages only the bleeding patients, this focus can leave other vulnerabilities hanging around like unwanted party guests. Cobalt’s Jason Lamar warns that these seemingly benign bugs can snowball into a full-blown cybersecurity avalanche if left unchecked.

The Health of Healthcare Security is in Critical Condition

With data thieves and ransomware actors lurking like nosy neighbors, the healthcare sector remains a prime target for malicious attacks. According to a recent report by Darktrace, 2024 saw an increase in attacks exploiting edge vulnerabilities, which accounted for 36% of initial access methods. It’s like leaving the backdoor wide open and then wondering why the cat keeps getting out.

It’s Time for a Cyber Check-Up

Cobalt CTO Gunter Ollmann sounded the alarm, highlighting that HCOs are inadvertently creating a “dangerous window of exposure.” While healthcare leaders fret over generative AI and third-party software risks, their Achilles’ heel remains the gaping hole where timely vulnerability resolutions should be. The moral of the story, folks? Prevention isn’t just better than cure—it’s the firewall against becoming the next headline.

In conclusion, while healthcare organizations may have the best intentions, their cybersecurity practices need a dose of urgency. It’s time for HCOs to kick their vulnerability remediation into high gear and put an end to the “waiting room” approach to cybersecurity. If not, they might find themselves in the operating theater, performing open-heart surgery on their security systems.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?