State of Pentesting in Healthcare 2025

Healthcare resolved only 57.4% of serious pen test findings. This ranks healthcare 11th of 13 industries. By comparison, transportation led with 80.2%.

71% of healthcare leaders cited GenAI as the top risk.

14% of healthcare organizations resolve critical findings in business-critical within eight to 14 days.

68% of healthcare leaders cited third-party software as the top risk.

The 2025 breach at DaVita compromised over 900,000 patients' personal and clinical data.

Just 13.3% of healthcare pentest findings qualify as “serious”. This ranks healthcare 6th-best out of 13 industries.

71% of healthcare leaders cited GenAI as the top risk.

43% of healthcare organizations resolve critical findings in business-critical assets in one to three days.

Healthcare’s half-life for serious pen test findings was 244 days. This ranks healthcare 11th of 13 industries. Transportation had a half-life of 43 days.

Healthcare’s median time to resolve serious pen test findings was 58 days. This ranks healthcare 10th of 13 industries. Hospitality led with 20 days.

Nearly 40% of healthcare SLAs require serious findings in business-critical assets to be fixed within three days. Another 40% require resolution within four to 14 days.

37% of healthcare organizations resolve critical findings in business-critical assets within four to seven days.

68% of healthcare leaders cited third-party software as the top risk.