Top Vulnerability Management Challenges

Healthcare leaders report: 

• • Limited budget and staffing 
  • Outdated or unsupported systems 
  • High volumes of vulnerabilities 
  • Difficulty prioritizing risk 
  • Patch testing and deployment delays 

The imbalance: vulnerabilities are discovered faster than they can be remediated. 

Scanning Alone Isn’t Enough

Most organizations reported scanning weekly or quarterly, with some scanning continuously. While frequent scanning is important, the survey suggests that scanning alone does not equate to improved security outcomes. High-frequency scans can overwhelm teams if results are not actionable or aligned with clinical realities.

Reality: More scanning does not equal less risk if findings make more noise and are not clearly prioritized based on external and internal risk parameters. 

The Biggest Gap: Unifying IT & Medical Device Vulnerability Programs  

Only 36% of respondents reported fully integrated IT and medical/IoT vulnerability management programs. Nearly half said their programs were only partially integrated. One in five acknowledged little to no integration at all.

Key barriers: 

• • Medical device patching limitations 
  • No unified asset inventory 
  • IT and clinical engineering silos 
  • Limited remediation resources

Confidence Is Cautious

When it comes to identifying and addressing high-risk vulnerabilities confidence is moderate – but fragile. 

• • 84% are somewhat confident 
  • Only 8% are very confident

Healthcare leaders believe their programs work under normal conditions—but are stressed by zero-days, ransomware, and urgent vendor disclosures. 

What Will Close the Gap

Healthcare leaders say prioritizing these actions will improve outcomes:

• Look to create a single, unified asset inventory
• Unify vulnerability management with tools spanning IT and medical devices
• Create a formal cross-department governance to educate on risk and risk remediation actions
• This problem is not declining so find a way to optimize and increase remediation resource effectiveness
• Collectively work for greater vendor accountability

Navigating a Path Forward

Healthcare organizations are under mounting pressure to manage cybersecurity vulnerabilities across an increasingly complex technology ecosystem. Traditional IT environments now coexist with cloud platforms, cyber-physical systems, and thousands of network-connected medical devices—many of which were never designed with modern cybersecurity threats in mind. 

The CHIME findings highlight a dangerous imbalance. Healthcare organizations are discovering vulnerabilities faster than they can reasonably assess or remediate them—especially when clinical constraints limit patching or downtime. Traditional scan-and-patch models struggle in environments where patient care cannot be interrupted. 

The CHIME survey makes one thing clear: healthcare organizations understand the risk—but need help operationalizing solutions at scale. Vulnerability management must evolve from a reactive, resource-draining process into a proactive, continuously improving risk management program. 

Vulnerability Management as a Program, not a Project

To reduce risk at scale, vulnerability management needs to evolve because business constraints and complexity is not decreasing.

Advancing risk-driven vulnerability management and remediation starts with an approach that supports faster response, better prioritization, and stronger alignment with patient care. This is not about a new initiative or a project, but an ongoing program that is consistent and continually taking advantage of the latest threat intelligence, both externally and internally derived, based on operational and patient care risks. 

Healthcare environments are complex and diverse, meaning vulnerability scanning, prioritization, and remediation likely occupy a significant portion of weekly IT effort.  

According to reports by the Department of Health and Human Services in partnership with the Health Sector Coordinating Council, Hospital Resiliency Landscape Analysis:

• “The use of antiquated hardware, systems, and software by hospitals is concerning — 96% of small, medium, and large sized hospitals claim they were operating with end-of-life operating systems or software with known vulnerabilities, which is inclusive of medical devices.”

• Despite regular scanning, only 53% of surveyed hospitals stated they have a documented plan for addressing the vulnerabilities identified — indicating that scanning alone isn’t sufficient without a corresponding remediation process.

Without exception, vulnerability management continues to grow in complexity across those that provide healthcare to patients and those supporting care delivery and management through specialized technology and business services. With one of the most complex, interconnected technology landscapes and service constraints that require a cautious approach to vulnerability remediation so as to not disrupt patient care or vital services. Vulnerability management in healthcare is an increasingly challenging task. Healthcare environments create a vast attack surface that requires constant risk management.