Report: Health care underperforms in vulnerability remediation

The health care sector is generally good at finding and preventing serious cybersecurity vulnerabilities, but it underperforms in remediating those vulnerabilities, a new report from penetration testing firm Cobalt shows. 

Cobalt analyzed pentesting data from the past decade and survey responses from 500 security leaders and practitioners to shed light on health care's security posture. Pentesting, which constitutes a simulated cyberattack, is a key proactive cybersecurity action that organizations can take to identify and address vulnerabilities before real hackers exploit them. 

Researchers found that health care ranked sixth out of 13 industries in preventing serious vulnerabilities, and serious vulnerabilities only made up about 13% of all health care vulnerability findings. 

"Regulatory pressure may help explain the low prevalence of serious findings in the health care industry," the report stated. "Rules such as the Health Insurance Portability and Accountability Act (HIPAA) have forced health care organizations to protect patient data by proactively assessing risk and preventing vulnerabilities." 

However, health care had a 57% resolution rate for serious findings, ranking 11th out of 13 industries. Additionally, health care had a 58-day median time to resolve (MTTR) serious findings and a 244-day half-life for serious findings. 

"Health care organizations' low resolution rate is compounded by longer times to resolve findings they actually fix," the report stated, noting that health care had the fourth-highest MTTR of all the studied industries. 

While health care pentesting results showed fewer serious findings than other industries, those unresolved serious findings could make health care data vulnerable if not remediated in a timely manner. 

Cobalt attributed the low resolution rates to potential divisions between departments ordering pentests and teams implementing fixes, technology roadblocks, resource constraints and the difficulties less mature teams face when managing complex remediations. 

Although pentesting is a recognized cybersecurity best practice, 65% of respondents said that pentest scheduling has been "occasionally or frequently delayed by security, compliance or business initiatives." 

Although health care has slow vulnerability resolution times, Cobalt found that most health care organizations typically manage to meet remediation deadlines specified by their service level agreements. About 94% of respondents reported fixing serious findings in business-critical assets within two weeks. 

Overall, the data suggests that health care organizations must focus on maintaining their strength in preventing serious vulnerabilities while making efforts to improve remediation processes and timelines.