Gaps in healthcare vulnerability management persist

Healthcare vulnerability management remains a challenge for security teams as they grapple with increasingly complex and interconnected environments. Healthcare organizations must prioritize vulnerability management as part of their overarching risk management strategies, healthcare cybersecurity vendor Clearwater suggested in its benchmark report on the subject.

Clearwater's benchmark report consisted of data from its security operations center and managed security platform collected from August 2024 to January 2025. The results showed that nearly three out of every five analyzed assets had a critical vulnerability.

Specifically, the report analyzed asset growth and vulnerabilities across three market segments:

• Healthcare software, analytics and business services that offer specialized software and services to support healthcare providers.
• Physician, dental and specialty practice clinics representing small and large practices.
• Healthcare centers and surgical hospitals, including rural and critical access hospitals.

Over the six-month period, the average number of vulnerabilities per asset fluctuated across all market segments.

The healthcare software, analytics and business services segment started the reporting period with the highest average number of vulnerabilities per asset (13.2). But by January, this segment's average number of vulnerabilities dropped to 8.16.

"This is partly because they have a lower asset count to manage, and we noted that their security and IT teams could react faster to vulnerability findings and remediation prioritization than those in other segments," the report stated.

Numbers fluctuated for physician, dental and specialty practice clinics as well, averaging 7.01 vulnerabilities per asset in January 2025 compared to 2.9 in August 2024.

Meanwhile, healthcare centers and surgical hospitals stayed steady throughout the reporting period. The report noted that this segment is subject to strict change control when remediating vulnerabilities to avoid service disruptions, making it difficult to reduce the vulnerability count meaningfully.

"Healthcare environments create a vast attack surface that requires constant risk management. Cyberattacks targeting sensitive health data, aiming to disrupt patient care or infiltrate a healthcare supply chain, rely on vulnerability exposures to facilitate their tactics," Steve Akers, Clearwater's corporate chief information security officer, said in an accompanying press release.

"Security leaders in healthcare are keen to know where they stand as compared to like organizations when it comes to vulnerability management, whether it is performed in-house or with a managed security service provider."

Clearwater recommended prioritizing routine vulnerability scanning and aligning vulnerability remediation to organizational risk.

"Every organization is unique. The same vulnerability on a similar system could represent a very different exposure risk, even within the same healthcare segment and similar organizations," the report noted.

"A risk-based approach must look at the function the vulnerable asset performs for the business, what type of data or processes could be exposed, and whether constraints prevent immediate remediation or if there are compensating security controls that can be leveraged to mitigate the vulnerability risk."

An April 2025 report by security vendor Black Kite came to similar conclusions based on its analysis of more than 1,000 vulnerabilities. The report stated that 2024 saw a 38% year-over-year increase in Common Vulnerabilities and Exposures (CVEs).

Researchers posited that simply knowing about the vulnerabilities that exist is not enough. There are simply too many vulnerabilities to address, and not all of them pose the same level of risk to every organization. In fact, threat actors tend to exploit widely used vulnerabilities that are relatively easy to weaponize, rather than those with high complexity.

As such, security practitioners need actionable insight into which vulnerabilities are likely to impact their specific environments and supply chains so they can act accordingly. Black Kite suggested that organizations take a risk management approach that considers factors like supply chain risk, exploitability and vendor exposure holistically.

Rather than taking a reactive approach to vulnerability management, experts suggest proactive, risk-informed prioritization of cybersecurity vulnerabilities.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.