In the high-stakes world of healthcare, cybersecurity is not just about protecting data. It’s about protecting patients. Lives are at stake. As a product leader at Cobalt, I’ve seen the incredible pressure on this industry to secure sensitive information against volley after volley of evolving threats.
Our new report, the State of Pentesting in Healthcare 2025, reveals a critical paradox: the healthcare industry is performing better than most at preventing serious vulnerabilities. Yet healthcare organizations struggle significantly to remediate quickly, leaving many vulnerabilities unresolved, and sensitive data exposed, for weeks or months.
This success in proactive prevention is commendable. Regulatory pressures like HIPAA have clearly pushed healthcare organizations to build stronger security programs. However, the report’s findings also highlight a growing "security debt"—a backlog of unresolved issues. This isn't just a technical problem, it's a strategic risk that demands immediate attention.
Top Findings: The State of Pentesting in Healthcare
Let's break down the key findings from the report.
Finding #1: Proactive prevention is a bright spot
First, the good news. Healthcare organizations are ahead of the curve in preventing the most critical issues. The industry has the sixth-lowest rate of serious findings out of 13 industries analyzed. This demonstrates a moderately successful approach to risk assessment and proactive measures at prevention, including regular pentesting, likely driven by strong compliance requirements.
Finding #2: Remediation lag creates dangerous "security debt"
Here's where the picture gets concerning. Despite finding fewer serious issues, healthcare is one of the slowest sectors to fix the ones that make it to production. The data reveals a 244-day half-life for serious findings, meaning it takes over eight months to resolve just 50% of these critical vulnerabilities. This ranks healthcare 11th out of 13 industries in remediation time. This slow pace of remediation creates a significant security debt, where unresolved vulnerabilities accumulate over time, compounding risk with each passing day.
Finding #3: An SLA paradox and a scheduling bottleneck
Paradoxically, most healthcare organizations are meeting their immediate deadlines. The report shows that 94% fix serious findings in business-critical assets within two weeks, meeting their Service Level Agreements (SLAs).
So, if critical assets are being fixed, what's the problem? The issue is twofold. First, this focus on SLA-bound fixes can cause other serious, but non-critical, vulnerabilities to linger and contribute to security debt. For example, an unresolved information disclosure vulnerability in a web application could expose to an attacker the server software’s version. On its own, this doesn’t sound so bad; but armed with this kind information, the attacker could find known vulnerabilities to exploit the software and compromise the application.
Second, this operational success is often undermined by logistical delays before testing even begins. A staggering 65% of organizations report that pentest scheduling has delayed critical security, compliance, or business initiatives. When you're already slow to remediate, adding scheduling bottlenecks only exacerbates the risk.
As one of our customers in the health and wellness space noted, speed and integration are paramount:
“Cobalt has sped up our pentesting process by an exponential amount and allowed us to integrate directly into internal tracking systems to ensure that everything is handled promptly.”
Finding #4: AI and data exposure top the list of leadership concerns
Looking ahead, healthcare leaders are concerned about emerging threats. Generative AI is seen as a top IT risk by 71% of leaders. Their primary worry? Data exposure, a concern for 46% of practitioners. In an industry governed by the strict data protection rules of HIPAA, the potential for AI tools to leak sensitive patient information is a massive strategic risk.
Protecting this data is the ultimate goal. As the director of cloud security at another one of our healthtech customers states:
“These tests allow us to bolster our application security and be true to our customers when it comes to protecting their sensitive data.”
Why Is Healthcare Slow to Remediate?
The report suggests several factors may contribute to healthcare's remediation struggles.
- Organizational silos: Often, the compliance or security teams ordering pentests are disconnected from the development teams tasked with implementing fixes, leading to communication gaps and delays.
- Technical and resource constraints: Many organizations we work with are saddled by legacy systems, accumulated tech debt, and resource constraints that make swift remediation difficult.
- The compliance conundrum: A compliance-driven mindset can lead teams to prioritize fixing only the specific, business-critical assets governed by SLAs, while other significant vulnerabilities are pushed to the back burner, adding to the security debt.
A Guide to Action: Strategic Recommendations
Understanding these challenges is the first step. Taking action is the next. Here are four strategic recommendations for healthcare CISOs and security leaders based on our findings.
1. Adopt a programmatic approach to offensive security
Move beyond ad-hoc, compliance-driven testing. A structured, programmatic approach provides continuous visibility into your risk posture, which is essential for managing and paying down a long-term security debt. As one of our customers explains:
“Cobalt’s platform makes managing our pentests incredibly easy. Their programmatic approach to pentesting allows us to clearly understand how to allocate resources and the resulting scope of testing.”
2. Mandate and scrutinize third-party pentesting
With 68% of leaders concerned about third-party software as an attack vector, it's time to hold your vendors to a higher standard. Require comprehensive pentesting reports from vendors before procurement to ensure their security posture meets your standards.
3. Proactively test for AI vulnerabilities
With genAI being a top IT risk concern for 71% of leaders, you cannot afford to be reactive. Proactively test new AI applications and LLMs to identify and mitigate risks, like data exposure and model poisoning, before they can impact your organization or patients.
4. Conduct red team exercises
To truly understand your defensive capabilities, you must simulate real-world attacks. Red team exercises go beyond standard pentesting to test your organization’s detection and response capabilities against advanced attack scenarios, providing invaluable insights into where your true weaknesses lie.
From Reactive to Proactive
The healthcare industry is at a crossroads. While its strength in proactive prevention is a solid foundation, the dangerous lag in remediation—compounded by scheduling delays—is creating a backlog of risk that can no longer be ignored.
The path forward requires a shift in mindset. It’s time to move beyond using pentesting as a compliance checkbox and embrace it as a strategic tool for continuous risk reduction. For healthcare leaders, adopting a more strategic, programmatic approach isn't just an IT imperative—it's fundamental to ensuring patient safety and maintaining trust.