Healthcare underperforms in vulnerability remediation: Report

The healthcare sector is generally good at finding and preventing serious cybersecurity vulnerabilities, but it underperforms in remediating those vulnerabilities, a new report from penetration testing firm Cobalt shows.

Cobalt analyzed pentesting data from the past decade and survey responses from 500 security leaders and practitioners to shed light on healthcare's security posture. Pentesting, which constitutes a simulated cyberattack, is a key proactive cybersecurity action that organizations can take to identify and address vulnerabilities before real hackers exploit them.

Researchers found that healthcare ranked sixth out of 13 industries in preventing serious vulnerabilities, and serious vulnerabilities only made up about 13% of all healthcare vulnerability findings.

"Regulatory pressure may help explain the low prevalence of serious findings in the healthcare industry," the report stated. "Rules such as the Health Insurance Portability and Accountability Act (HIPAA) have forced healthcare organizations to protect patient data by proactively assessing risk and preventing vulnerabilities."

However, healthcare had a 57% resolution rate for serious findings, ranking 11th out of 13 industries. Additionally, healthcare had a 58-day median time to resolve (MTTR) serious findings and a 244-day half-life for serious findings.

"Healthcare organizations' low resolution rate is compounded by longer times to resolve findings they actually fix," the report stated, noting that healthcare had the fourth-highest MTTR of all the studied industries.

While healthcare pentesting results showed fewer serious findings than other industries, those unresolved serious findings could make healthcare data vulnerable if not remediated in a timely manner.

Cobalt attributed the low resolution rates to potential divisions between departments ordering pentests and teams implementing fixes, technology roadblocks, resource constraints and the difficulties less mature teams face when managing complex remediations.

Although pentesting is a recognized cybersecurity best practice, 65% of respondents said that pentest scheduling has been "occasionally or frequently delayed by security, compliance or business initiatives."

Although healthcare has slow vulnerability resolution times, Cobalt found that most healthcare organizations typically manage to meet remediation deadlines specified by their service level agreements. About 94% of respondents reported fixing serious findings in business-critical assets within two weeks.

Overall, the data suggests that healthcare organizations must focus on maintaining their strength in preventing serious vulnerabilities while making efforts to improve remediation processes and timelines.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.