37% of healthcare organizations resolve critical findings in business-critical assets within four to seven days.

Nearly 40% of healthcare SLAs require serious findings in business-critical assets to be fixed within three days. Another 40% require resolution within four to 14 days.

14% of healthcare organizations resolve critical findings in business-critical within eight to 14 days.

71% of healthcare leaders cited GenAI as the top risk.

Just 13.3% of healthcare pentest findings qualify as “serious”. This ranks healthcare 6th-best out of 13 industries.

Healthcare’s median time to resolve serious pen test findings was 58 days. This ranks healthcare 10th of 13 industries. Hospitality led with 20 days.

68% of healthcare leaders cited third-party software as the top risk.

Healthcare’s half-life for serious pen test findings was 244 days. This ranks healthcare 11th of 13 industries. Transportation had a half-life of 43 days.

Healthcare expects a 53% rise in insider threats.

43% of small healthcare organisations reported experiencing a phishing or spoofing incident in the past year.

Nearly half of healthcare email breaches stem from Microsoft 365 alone.

"Small" violations can cost healthcare practices anywhere from $25,000 to $9.76 million per incident.

64% of small healthcare practices believe patient portals are required for HIPAA compliance.

Over 90% of U.S. healthcare providers operate as small organisations.

About 50% of small healthcare organisations lack anti-phishing controls beyond default spam filters.

One-third of small healthcare practices report not having enough time for compliance tasks.

Salud Family Health had a phishing attack exposing 80,000+ records.

Solara Medical faced a $9.76 million class-action settlement following a phishing attack.

98% of small healthcare practices claim their platforms "encrypt emails by default".

Sunrise Community Health experienced an email compromise affecting 54,000+ patients.