Healthcare entities are less likely to have critical cybersecurity vulnerabilities as opposed to other industries, since they are typically good at prevention; nevertheless, when vulnerabilities are discovered, healthcare falls behind other industries in terms of remediation. These are the conclusions of a recent research about penetration testing data and a survey by the Pentest-as-a-service (PTaaS) firm Cobalt, which had 500 U.S. security leaders as participants. The results are well documented in the State of Pentesting in Healthcare 2025 report.
Critical cybersecurity vulnerabilities are rather unusual in healthcare. The industry ranks #6 among the 13 sectors listed, with only 13.3% of serious vulnerabilities discovered via pentesting. Whenever penetration tests find critical vulnerabilities, they must be remediated immediately. So long as a vulnerability stays unresolved, a threat actor can potentially exploit it.
The standard for computing the time to implement a security action is known as median time to resolve (MTTR), which is 58 days for critical vulnerabilities in healthcare. Healthcare is #11 among 13 sectors on MTTR. Cobalt plotted the frequency of critical vulnerabilities versus the resolution rate and healthcare remains in the struggling classification with low incidence and low resolution. The preferred classification is low incidence and high resolution.
Although the MTTR is a standard gauge in security, it can be rather misleading, because it is just using resolved vulnerabilities. Cobalt states that 52% of pentest discoveries are not resolved. Hence, to have a complete picture, looking at the survival half-life is necessary. Survival half-life is the time used to correct 50% of discovered vulnerabilities. A MTTR of 20 days is great, but not really so when 50% of all critical vulnerabilities are not taken care of.
According to the data, healthcare is the third-worst sector in terms of half-life score at 244 days. Compare that to the leading transportation sector’s half-life of 43 days. Education has the worst half-life at 283 days. Cobalt remarks that the healthcare industry is normally good at putting first vulnerability remediation, mostly fixing the critical issues promptly with 40% of SLAs resolving serious vulnerabilities in business-critical assets within three days, and another 40% of SLAs resolve vulnerabilities in 14 days.
Most practices satisfy the deadlines, with 43% fixing critical vulnerabilities in 1-3 days, 37% fixing problems in 4-7 days, and 14% fixing issues in 8-14 days, though it is usual to have more backlogs in less critical areas. Healthcare is a closely regulated sector, for example, HIPAA regulates data security compliance. The HIPAA Security Rule demands the conduct of a risk analysis to identify all risks and vulnerabilities to electronic PHI, which shows, to some extent, the low incidence of critical vulnerabilities. HIPAA likewise has risk management requirements, which show in the data, since 94% of healthcare companies take care of business-critical issues in under two weeks.
The long duration of resolving vulnerabilities in most cases and the poor half-life score of healthcare are probably due to different factors, including the use of outdated systems, which create technology hurdles and resource limitations. Cobalt additionally notes probable divisions among the departments getting pentests and the teams using fixes, and less mature teams may have difficulties with the complex remediations.
The survey showed the biggest security issues in healthcare are as follows: exploited vulnerabilities (40%), Third-party software (48%), and GenAI (71%). The leading attack vectors are: phishing/malware (32%), AI-enabled features (45%), and third-party software (68%). Considering the high level of concern around third-party software, Cobalt advises healthcare organizations to request complete penetration testing reports from their vendors before making a purchase. Cobalt likewise suggests combining pentesting with the development lifecycle, proactively screening for AI and genAI vulnerabilities, taking on a programmatic strategy to offensive protection, and performing normal red team routines to check real-world discovery and resolution capabilities.