Skip to main content
CybersecurityVulnerability Management

Vulnerability management: Must-Have Fixes for Risky Lag

Vulnerability management: Must-Have Fixes for Risky Lag

What happens when the systems that keep hospitals running take nearly two months to patch a serious security flaw? Patients expect uninterrupted care; clinicians expect reliable devices and instant access to records; administrators expect uptime; attackers see an open invitation.

A new study from Cobalt reports that healthcare organizations take an average of 58 days to resolve serious vulnerabilities — among the slowest of any industry measured. That statistic matters not just because of its scale, but because of what it reveals: critical medical devices, electronic health records, and connected systems operating with known weaknesses for weeks, if not months. Those windows of exposure are precisely what threat actors hunt for.

Vulnerability management: why the healthcare lag exists
Vulnerability management is a routine, well-defined discipline in many sectors: discover, prioritize, patch, and verify. In healthcare, however, that cycle is frequently disrupted by competing imperatives. Clinicians require continuous access to patient data and devices; compliance teams insist on strict change control; device vendors warn about unintended consequences when firmware or software is updated. The result is a large and dangerous gap between awareness of a flaw and its remediation.

Several structural realities make healthcare particularly vulnerable:
– Complex, heterogeneous environments: Hospitals run a sprawling mix of legacy IT, bespoke clinical applications, and specialized devices — from infusion pumps to MRI machines — many built before modern security practices were standard. Updating them often means coordinating across multiple vendors and clinical teams.
– Long device lifecycles and supplier constraints: Medical equipment can remain in service for a decade or more. Vendors may be slow to release patches, or older models may no longer be supported, forcing hospitals to choose between risky updates and continued exposure.
– Operational risk aversion: Patient safety comes first. Hospitals often delay patches until exhaustive clinical testing can confirm there’s no negative impact on device behavior or care delivery.
– Chronic underinvestment and workforce shortages: Security budgets and cybersecurity staffing frequently lag behind expanding attack surfaces and regulatory demands, making timely triage and remediation difficult.

Why 58 days is a measurement of risk, not just a statistic
Known vulnerabilities represent the most straightforward path for attackers. Ransomware groups and organized cybercriminals disproportionately target healthcare because disruptions attract urgent attention and can yield higher ransom payments or other payoffs. When a serious vulnerability remains unpatched for weeks, it dramatically widens the window of opportunity for exploitation and increases the potential for patient harm, privacy breaches, and costly operational downtime.

Practical steps to improve vulnerability management in healthcare
Technologists and security leaders point to a set of practical, proven measures that can shrink mean time to remediation without compromising patient safety:
– Risk-based prioritization: Use contextual scoring to prioritize fixes that present the highest patient safety and operational risk rather than treating every vulnerability equally.
– Segmentation and isolation: Microsegmentation and network separation for medical devices reduce the “blast radius,” allowing some systems to remain protected even if others are vulnerable.
– Automated patch orchestration where possible: Automation can accelerate routine updates and reduce human error, especially for standard IT systems that aren’t tightly coupled to clinical workflows.
– Stronger vendor collaboration: Establishing joint testing and deployment pipelines with device manufacturers enables faster, safer updates that respect clinical safety requirements.
– Vulnerability disclosure and bug bounty programs: These incentivize external researchers to report flaws responsibly, accelerating triage and remediation.

Policy, funding, and the role of regulators
Regulators are moving toward stricter cybersecurity expectations — for example, FDA guidance on postmarket cybersecurity for medical devices and various national healthcare cybersecurity directives. But rules alone don’t provide the funding or talent pipelines necessary to implement them. Policymakers and healthcare funders must weigh targeted grants, incentives, or reimbursement levers to help smaller and rural providers modernize systems and close security gaps.

Trade-offs and the reality of implementation
The path forward involves trade-offs. Rapid, automated patching without proper testing risks device malfunction and patient safety. Tight budgets constrain technology upgrades. Small providers often lack bargaining power to compel timely vendor fixes. As a result, the 58-day average reflects a network of competing priorities rather than a single, easily fixed failure.

Patients, clinicians, and the human cost
Clinicians can lose trust in IT when security measures disrupt workflow; patients face privacy breaches, care interruptions, and in the worst cases, compromised safety if medical devices behave unpredictably after exploitation. These stakes transform vulnerability management from an IT problem into a clinical and organizational imperative.

Conclusion: make vulnerability management a clinical priority
Vulnerability management cannot remain an afterthought in healthcare. As systems become more digital and interconnected, the tolerance for weeks-long remediation windows shrinks. Hospitals, vendors, and policymakers must work together to reconcile safety, usability, and security so fixes happen far faster than 58 days. Reducing that window is essential to protecting patient care, maintaining trust in clinical technology, and denying attackers the low-hanging fruit they currently exploit.