A report by Cobalt found that while healthcare organizations have strong security incident protections, they often struggle with remediation after an incident. The report found that 13.3% of healthcare pentest findings qualify as “serious,” ranking 6th-best out of 13 industries. 

Healthcare resolved 57.4% of serious findings, ranking 11th of 13 industries. By comparison, transportation led with 80.2%. Additionally, Healthcare’s median time to resolve serious findings was 58 days, ranking 10th of 13 industries. Hospitality led with 20 days. Healthcare’s half-life, for serious findings was 244 days, ranking 11th of 13 industries, far behind transportation at 43 days. 

These results place healthcare in the “Struggling” quadrant of the comparative framework — an industry with relatively low prevalence of serious findings but consistently slow remediation. This lag leaves vulnerabilities exposed for months, increasing compliance risks and creating dangerous entry points for attackers. 

Despite lagging resolution speed overall, most healthcare organizations succeed in fixing the most critical issues on time. Nearly 40% of healthcare SLAs require serious findings in business-critical assets to be fixed within three days, and another 40% require resolution within four to 14 days. In practice, most organizations meet these deadlines: 

• 43% resolve critical findings in one to three days 
• 37% resolve within four to seven days 
• 14% resolve within eight to 14 days 

Healthcare leaders also cited generative AI (71%) and third-party software (68%) as their top risks, alongside concerns about data exposure, insider threats, and phishing. These concerns highlight the expanding complexity of healthcare’s risk surface, where genAI, software supply chain, and insider threats converge to challenge traditional security programs. 

Learn more about the report