Why Hospitals Keep Finding the Same Vulnerabilities—And Never Fixing Them

The penetration test is complete. The report is in. And somewhere in a hospital’s IT department, a 200-page PDF is slowly gathering digital dust.

This is not a hypothetical. It is, according to Dan DeCloss, the norm.

DeCloss is the founder and Chief Customer & Brand Officer at PlexTrac, an exposure assessment platform built around a problem he knows from the inside. Before launching the company, he spent years in security leadership roles at Mayo Clinic and Anthem, sitting on both the generating and receiving ends of vulnerability reports. He watched good assessments go nowhere. He understands exactly why.

“The findings were never the hard part,” he explains. “But when somebody hands you a 200-page report, then what? When I was in security leadership roles, no one was giving me extra headcount to work through all of it.”

Healthcare organizations have gotten reasonably good at finding cybersecurity vulnerabilities. Remediation is another story.

The Handoff Problem

The breakdown, DeCloss notes, is almost always structural rather than technical. A vulnerability scan or penetration test produces a list. That list goes into a PDF or a spreadsheet. And then, absent a clear path from discovery to resolution, it stalls.

“The people who found the problem are frequently not the people who fix it,” he says, “and the people who fix it have a day job keeping clinical systems running.”

The result is a familiar organizational failure: three teams each assuming one of the other two has ownership. A vulnerability that gets emailed around, dropped into a ticket, and never definitively assigned. DeCloss argues that the fix is less about org-chart restructuring than workflow design.

“Every finding needs to be treated like it carries a paper trail,” he adds. “You have one single record per finding, with a named owner and a history that runs from the day it was discovered on through the day someone confirms it’s closed. No more arguments about whose job it was — the record has already answered that.”

A Scarce-Resource Problem With a Unique Shape

Healthcare security teams face a constraint that has no real analog in other industries: the systems carrying the highest risk are often the ones least available for remediation.

“Hospitals cannot just reboot an infusion pump in the middle of a procedure because there’s a potential vulnerability,” DeCloss points out, “and a lot of clinical gear and networks run on schedules measured in months between maintenance windows.”

That reality reshapes what prioritization even means. The question is not simply which vulnerabilities are most severe. It is which ones can actually be addressed without interrupting patient care. When a patch requires scheduled downtime, the near-term answer is usually a compensating control: tighter network segmentation, restricted access, closer monitoring. The maintenance window itself becomes the scarce resource, and it has to be spent carefully.

“You often need to treat the maintenance window as a scarce resource and spend it on the handful of things that really move the needle on your risk,” he says, “instead of burning it on whatever happened to score highest in the scanner.”

The CVSS Trap

Much of the industry still defaults to CVSS scores, the numerical severity ratings assigned to known vulnerabilities, as the primary lens for prioritization. DeCloss considers that a significant blind spot.

“Two findings with identical 9.8 scores can mean completely different things,” he explains. In one recent case he describes, a 9.8-scored vulnerability sat on a lab box with no path to anything valuable. Another 9.8 sat on a system tied to patient records with a publicly known exploit in circulation. CVSS treated them identically.

The context that actually predicts risk—how critical is the asset, can an attacker reach it, how sensitive is the data, is anyone exploiting it right now—is exactly what CVSS was never designed to capture. PlexTrac’s scoring model was built around that gap, allowing security teams to weight findings against their own operational context rather than a researcher’s abstract severity number.

When Patching Isn’t an Option

Legacy medical devices present a particular challenge: many cannot be patched at all. DeCloss warns against the quiet resignation that often follows that discovery.

“What I see a lot in healthcare is teams treating ‘cannot patch’ as ‘cannot do anything,’ so the risk falls off the radar and essentially becomes permanent,” he says.

Even when a workaround is implemented, many organizations skip the step that would confirm it’s actually working. That omission, in his experience, is costly.

“A vulnerability fix you never validate is an assumption, not a remediation,” DeCloss says. “In my pentest days we retested and retested, and the count of what had quietly failed was always higher than anyone expected.”

Doing More With Constrained Teams

Healthcare security teams are almost universally under-resourced, and DeCloss is realistic about that. The answer, he argues, is not more headcount; it is sharper focus and less administrative drag.

“You are never going to have enough people, so the win comes from focusing the people you have on the right things,” he explains.

Two practices, in his view, produce lasting results. The first is genuine prioritization: directing limited staff and maintenance windows toward the small number of vulnerabilities that carry real risk. “Fixing the right twenty things with confidence puts you in far better shape than grinding through a ton of low-impact items because they were next on the list,” he says.

The second is eliminating manual overhead. A significant share of healthcare security work, he observes, is administrative rather than analytical: reconciling duplicate findings, chasing status updates, tracking the same vulnerability reported five different ways. Automation handles that work well. Grouping related findings by root cause can multiply the impact further, since resolving one underlying issue can eliminate dozens of surface-level symptoms.

Measuring What Actually Matters

The “findings-and-forget” model—run an assessment, file the report, satisfy the auditor, repeat next year—is, by DeCloss’s account, still the dominant operating mode. Mature programs work differently.

“Mature models run as a loop, where a vulnerability is discovered, prioritized by risk to the healthcare organization, routed to an owner, fixed, and confirmed to be a fix,” he explains. “And yes, those last two are separate steps.”

On the measurement side, he is skeptical of the metrics most organizations track. Counting open findings, he argues, tells you almost nothing. What matters is remediation velocity on genuinely high-risk items, whether resolved vulnerabilities stay resolved, and whether overall risk exposure trends downward over time.

“If your critical remediation time is shrinking and old problems are not reappearing, you are reducing risk,” he says. “If you are just producing prettier reports, you are not.”

The cultural shift required is, in some ways, the hardest part. Healthcare organizations have leaned heavily on the compliance-driven reporting model because a clean audit report can satisfy a regulator even when underlying risk hasn’t moved. Leadership incentives tend to reinforce the pattern.

“If leadership measures the security team on whether the annual assessment got done, you get an annual assessment and a backlog that never moves,” DeCloss observes. “If they measure it on whether risk is going down, behavior changes fast.”

The goal, ultimately, is to treat vulnerability management as a continuous operational practice rather than a calendar event, and to bring the teams responsible for fixes into the process as genuine partners rather than recipients of an annual list. Most healthcare organizations, he acknowledges, are not there yet. But the path forward is less about technology than about changing what gets measured, and what gets rewarded.

For more information, visit plextrac.com.