Top 10 Penetration Testing Findings in Healthcare 2026

After analyzing over 200 healthcare penetration tests conducted in the past 18 months, our team has identified consistent patterns in the vulnerabilities that put patient data and clinical operations at risk.

The Top 10 Findings

1. Unpatched legacy medical devices — Many hospitals still run devices on Windows 7 or embedded systems with known CVEs. Network segmentation is often the only viable mitigation.
2. Weak Active Directory configurations — Kerberoasting, AS-REP roasting, and excessive delegation permissions were exploitable in 78% of engagements.
3. Default credentials on network appliances — Printers, VoIP phones, and IoT medical devices frequently ship with admin/admin credentials that are never changed.
4. Excessive PHI access — Role-based access controls in EHR systems were misconfigured in 65% of organizations, granting clinical staff access to records outside their care scope.
5. Missing MFA on VPN and remote access — Especially critical post-COVID as telehealth and remote work expanded the attack surface.
6. Insecure HL7/FHIR API endpoints — Health data exchange interfaces often lacked proper authentication and input validation.
7. Flat network architectures — Lateral movement from a compromised workstation to critical clinical systems was trivially easy in 40% of tests.
8. Weak email security — Missing DMARC enforcement, SPF misconfigurations, and susceptibility to business email compromise.
9. Unencrypted internal traffic — PHI transmitted in cleartext between internal systems, particularly between legacy applications.
10. Inadequate logging and monitoring — 55% of organizations could not detect our simulated attack activities within 72 hours.

What CISOs Should Do Now

Prioritize network segmentation for medical devices, enforce MFA everywhere, and implement continuous monitoring. A risk-based approach aligned with NIST CSF helps focus limited budgets on the highest-impact controls.