Healthcare is a leader in preventing serious vulnerabilities but lags in remediation speed, leaving risks unresolved longer than most industries
San Francisco, CA, Sep 3, 2025 – Cobalt, the pioneer of penetration testing as a service (PTaaS) and leader in offensive security services, today released its State of Pentesting in Healthcare 2025. Drawing on a decade of pentesting data across 13 industries, along with survey insights from healthcare leaders, the report reveals a paradox: healthcare organizations are relatively strong at preventing serious vulnerabilities, but among the slowest to remediate them, leaving many vulnerabilities unresolved and sensitive data exposed for weeks or months.
Pentest performance benchmarks
The Cobalt analysis tracked four key metrics—frequency of serious vulnerabilities, resolution rate, median time to resolve (MTTR), and half-life of unresolved findings (the time to resolve 50% or more of findings). Healthcare’s performance shows a mix of strengths and weaknesses:
- Lower rate of serious findings: Just 13.3% of healthcare pentest findings qualify as “serious,” ranking 6th-best out of 13 industries.
- Lagging resolution rates: Healthcare resolved only 57.4% of serious findings, ranking 11th of 13 industries. By comparison, transportation led with 80.2%.
- Extended resolution timelines: Healthcare’s median time to resolve serious findings was 58 days, ranking 10th of 13 industries. Hospitality led with 20 days.
- Long half-life of unresolved issues: Healthcare’s half-life, for serious findings was 244 days, ranking 11th of 13 industries, far behind transportation at 43 days.
These results place healthcare in the “Struggling” quadrant of the comparative framework—an industry with relatively low prevalence of serious findings but consistently slow remediation. This lag leaves vulnerabilities exposed for months, increasing compliance risks and creating dangerous entry points for attackers.
Healthcare usually meets SLA deadlines for business-critical assets
Despite lagging resolution speed overall, most healthcare organizations succeed in fixing the most critical issues on time. Nearly 40% of healthcare SLAs require serious findings in business-critical assets to be fixed within three days, and another 40% require resolution within four to 14 days. In practice, most organizations meet these deadlines:
- 43% resolve critical findings in one to three days
- 37% resolve within four to seven days 1
- 4% resolve within eight to 14 days
This shows that, while healthcare’s backlog accumulates in less urgent areas, teams prioritize and act quickly when business-critical assets are at stake. Healthcare leaders also cited genAI (71%) and third-party software (68%) as their top risks, alongside concerns about data exposure, insider threats, and phishing. These concerns highlight the expanding complexity of healthcare’s risk surface, where genAI, software supply chain, and insider threats converge to challenge traditional security programs.
“The healthcare industry has made progress in reducing the overall frequency of critical vulnerabilities, but delays in remediation create a dangerous window of exposure,” said Gunter Ollmann, CTO at Cobalt. “Our survey data shows that leaders are most worried about genAI and third-party software risk, yet their ability to resolve vulnerabilities lags behind. This gap is especially alarming given the ongoing wave of ransomware attacks targeting healthcare—such as the 2025 breach at DaVita, where over 900,000 patients' personal and clinical data were compromised. The takeaway is clear: prevention alone isn’t enough—healthcare must close the remediation gap and address structural barriers like scheduling delays if it wants to safeguard patient trust and maintain compliance.”
The report underscores the importance of embedding offensive security into compliance and development workflows. By simulating real-world attacker behavior and continuously testing environments, penetration testing helps healthcare organizations reduce backlog, shorten resolution timelines, and address both emerging AI-driven risks and long-standing software supply chain vulnerabilities.
Methodology
The findings in the State of Pentesting in Healthcare 2025 is based on 10 years of Cobalt pentesting data, and data from Emerald Research, an independent third-party research firm, sponsored by Cobalt. The survey included 500 respondents, consisting of security leaders, defined as a mix of C-level and VP-level security professionals, and security practitioners, representing organizations with 500 to 10,000 employees.
Additional Resources:
- Read the State of Pentesting in Healthcare 2025
- Read the State of Pentesting in Healthcare 2025 Blog
- Read the CISO Perspectives Report 2025
- Read the State of LLM Security Report
- Read the Cobalt State of Pentesting Report 2025
About Cobalt
Cobalt is the pioneer in pentesting as a service (PTaaS) and a leader in offensive security services. We are focused on combining talent and technology with speed, scalability, and expertise. Thousands of customers and hundreds of partners rely on the Cobalt Offensive Security Platform, along with 450+ trusted security experts, to find and fix vulnerabilities across their environments. By enabling faster pentest launches, real-time collaboration with pentesters, and seamless integration with remediation workflows, we help organizations identify critical issues and accelerate risk mitigation so they can operate fearlessly and innovate securely.
Cobalt maintains an outstanding NPS of 9.12, reflecting its dedication to customer satisfaction. Read our reviews on G2 to see why customers love us. More at https://www.cobalt.io/. Follow Cobalt on LinkedIn and X.
Media Contact:
Leslie Kesselring
Kesselring Communication for Cobalt
leslie@kesscomm.com
