{"id":2704,"date":"2025-09-07T09:52:52","date_gmt":"2025-09-07T09:52:52","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/09\/07\/healthcare-sector-takes-58-days-to-resolve-serious-vulnerabilities\/"},"modified":"2025-09-07T09:52:52","modified_gmt":"2025-09-07T09:52:52","slug":"healthcare-sector-takes-58-days-to-resolve-serious-vulnerabilities","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2025\/09\/07\/healthcare-sector-takes-58-days-to-resolve-serious-vulnerabilities\/","title":{"rendered":"Healthcare Sector Takes 58 Days to Resolve Serious Vulnerabilities"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"http:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/ea721ff9-8ba4-4d88-b386-57e9e1606077.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Phil Muncaster\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>Healthcare organizations (HCOs) are among the slowest at remediating serious vulnerabilities, leaving systems and data exposed for weeks or even months, according to Cobalt.<\/p>\n<p>The penetration testing firm drew on a decade of internal data, as well as a survey of 500 US security leaders, to produce its <em>State of Pentesting in Healthcare 2025<\/em> report.<\/p>\n<p>Its analysis covers four key metrics: frequency of serious vulnerabilities, resolution rate, median time to resolve (MTTR)\u00a0and the half-life of unresolved findings \u2013\u00a0i.e., the time to resolve 50% or more of findings.<\/p>\n<p>The report placed the sector firmly in the \u201cstruggling\u201d quadrant. Although serious flaws are relatively rare, accounting for only 13% of discovered bugs, resolution rates lag many other industries.<\/p>\n<p><em>Read more on healthcare breaches: Clinical Data Stolen in Cyber-Attack on Kidney Dialysis Provider DaVita<\/em><\/p>\n<p>Cobalt found that HCOs:<\/p>\n<ul>\n<li>Remediated only 57% of serious findings, ranking the sector 11 of 13 industries, and way behind first-placed transportation (80%)<\/li>\n<li>Had a MTTR for serious findings of 58 days, ranking the sector 10 of 13 industries. Hospitality led with 20 days<\/li>\n<li>Took 244 days to remediate half of all serious findings, ranking HCOs 11\u00a0of 13 industries. Transportation was first with 43 days<\/li>\n<\/ul>\n<p>Cobalt CTO, Gunter Ollmann, warned that HCOs are unwittingly creating a \u201cdangerous window of exposure\u201d by failing to remediate promptly.<\/p>\n<p>\u201cOur survey data shows that leaders are most worried about genAI and third-party software risk, yet their ability to resolve vulnerabilities lags behind,\u201d he added.<\/p>\n<p>\u201cThe takeaway is clear: prevention alone isn\u2019t enough \u2013 healthcare must close the remediation gap and address structural barriers like scheduling delays if it wants to safeguard patient trust and maintain compliance.\u201d<\/p>\n<h2>Critical Issues Are Being Fixed Fast<\/h2>\n<p>The good news is that serious findings in business-critical assets are being addressed quickly by HCOs. The report revealed that 43% resolve these in 1-3 days, and 37% in 4-7 days. \u00a0<\/p>\n<p>However, this approach may lead to a false sense of security. Cobalt SVP Jason Lamar warned that innocuous-seeming bugs could still have a devastating impact on organizations.<\/p>\n<p>\u201cThis focus on SLA-bound fixes can cause other serious, but non-critical, vulnerabilities to linger and contribute to security debt. For example, an unresolved information disclosure vulnerability in a web application could expose to an attacker the server software\u2019s version,\u201d he explained.<\/p>\n<p>\u201cOn its own, this doesn\u2019t sound so bad; but armed with this kind information, the attacker could find known vulnerabilities to exploit the software and compromise the application.\u201d<\/p>\n<p>The healthcare sector remains one of the most frequently targeted by data thieves and ransomware actors.<\/p>\n<p>A recent report\u00a0from Darktrace warned that attacks on the industry intensified in 2024, with exploitation of edge vulnerabilities (36%) the most popular initial access method.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Healthcare organizations (HCOs) are among the slowest at remediating serious vulnerabilities, leaving systems and data exposed for weeks or even months, according to Cobalt. The penetration testing firm drew on a decade of internal data, as well as a survey of 500 US security leaders, to produce its State of Pentesting in Healthcare 2025 report.<\/p>\n","protected":false},"author":2,"featured_media":2705,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2704","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2704-7c0efb6d-b70e-45e2-89a2-fb8db6507437.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2704-7c0efb6d-b70e-45e2-89a2-fb8db6507437-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2704-7c0efb6d-b70e-45e2-89a2-fb8db6507437.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2704-7c0efb6d-b70e-45e2-89a2-fb8db6507437.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2704-7c0efb6d-b70e-45e2-89a2-fb8db6507437.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2704-7c0efb6d-b70e-45e2-89a2-fb8db6507437.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2704-7c0efb6d-b70e-45e2-89a2-fb8db6507437.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2704-7c0efb6d-b70e-45e2-89a2-fb8db6507437.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2704-7c0efb6d-b70e-45e2-89a2-fb8db6507437.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2704-7c0efb6d-b70e-45e2-89a2-fb8db6507437.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2704-7c0efb6d-b70e-45e2-89a2-fb8db6507437-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2704","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2704"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2704\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2705"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2704"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2704"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2704"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}