The healthcare and pharmaceutical industries are not adequately patching software, leaving their systems vulnerable to attack, according to a recent survey conducted by the Ponemon Institute in Traverse City, MI.

The survey involved 3,000 security professionals from a range of industry sectors and countries. It revealed that 57% of respondents had experienced at least one data breach where access to the network was gained by exploiting a vulnerability for which a patch had previously been released.

However, one-third said that they were aware of the vulnerability before the breach and knew that a patch was available to fix it. Two-thirds of those surveyed did not know they were vulnerable to attack.

“Even though there is a considerable risk of vulnerabilities being exploited, 37% of respondents said they do not scan for vulnerabilities and therefore cannot be sure all vulnerabilities are identified and addressed,” according to the report. “The healthcare and pharmaceutical industries were slightly better than average, although 28% of IT security professionals from those industries said vulnerability scanning was not performed.”

“Sixty-five percent of cybersecurity professionals said they find it difficult to prioritize patching and determine what software should be patched first,” the report authors added. “Sixty-one percent said manual processes were putting them at a disadvantage when patching vulnerabilities, and an average of 12 days were being lost coordinating patching activities across teams.”

Of the security professionals who knew there was a patch available, 75% said the delay in patching vulnerabilities was due to a shortage of staff. Even with an average 321 hours a week spent on vulnerability management, medium- to low-priority patches still take eight weeks or longer to be applied, the survey found.

“Companies that avoided breaches rated their ability to patch vulnerabilities in a timely manner 41% higher than those that had been breached, and they rated their ability to detect vulnerabilities 19% higher,” the report says. “Patching is the most significant characteristic of companies that were not breached in the last two years.”

Sixty percent of the survey respondents said they were planning to hire more IT specialists to address vulnerabilities.

The report is available online at: