Remote Desktop Tools are the Front Door in Healthcare, and Hackers are Walking Through
There is some positive news from the data collected by cybersecurity firm SonicWall, as cyberattacks have declined by up to 57% in some sectors; however, the healthcare industry has seen the smallest decline out of all tracked verticals, registering just a 17% year-over-year decline, compared to -23% for professional services, -42% for education, -46% for retail and -57% for manufacturing. Healthcare is still persistently targeted by cyber actors, and the gap between healthcare and other sectors is growing, according to the SonicWall 2026 Healthcare Protect Brief.
There are more active ransomware groups (10) attacking healthcare organizations than any other sector, indicating the industry is being actively targeted rather than falling victim to spray-and-pray attacks, and in H1 2026, there were four times as many malware hits per firewall in healthcare as the next most attacked sector. UltraVNC buffer overflow attacks generated 13.3 million hits in just 5 months, as hackers primarily targeted remote desktop tools to attack healthcare organizations – no other vertical experienced remote desktop exploitation at that scale.
Healthcare organizations rely on remote desktop tools to support their distributed clinical environments, telemedicine platforms, and third-party vendor access. If remote access credentials are compromised, it gives threat actors a path to clinical systems and patient data, which can be exfiltrated and held to ransom. While network-level controls can limit data access, and multifactor authentication (MFA) can prevent compromised credentials from providing access, MFA is often not implemented, and a single set of credentials does not just unlock one application; they often grant access to the full network.
SonicWall also identified 243 unique attack methods targeting connected medical devices, with the Internet of Things (IoT) the fastest-growing and hardest-to-patch exposure. Healthcare organizations have a huge range of deployed connected devices, including infusion pumps, patient monitors, imaging systems and more, which means a huge attack surface to defend. Unfortunately, the attack surface is growing faster than security teams can govern it. IoT devices are often not routinely patched, cannot run endpoint agents, and often share network segments with clinical systems that contain protected health information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“Healthcare does not have a cybersecurity problem. It has three of them,” explained Michael Crean, SonicWall SVP of Managed Services. Remote desktop tools without layered controls and MFA; a huge IoT footprint containing vulnerable devices; and targeted ransomware attacks. “Attackers have figured out how to use all of them at the same time.”
Hackers continue to target the sector as the returns are too reliable and the defenses too predictable. “What our research makes clear is that attackers have done the math. Hospitals cannot go dark, downtime is measured in patient outcomes, and the pressure to pay is unlike anything in any other sector. None of that changes until healthcare stops relying on security architectures built for a world that no longer exists, and starts treating Zero Trust not as a future initiative, but as the baseline they needed yesterday.”
The immediate steps recommended by SonicWall are to restrict UltraVNC and RDP to internal VLANS and ensure that MFA is implemented for all remote access, with no exceptions for vendors and no break-glass credentials. Connected medical IoT devices must be placed on isolated networks, away from clinical systems. Healthcare organizations need to implement application-level Zero Trust and ensure that legacy vulnerability exposure is addressed. SonicWall recommends conducting a comprehensive inventory of clinical middleware and IoT firmware and then ensuring that vulnerabilities are patched or devices isolated on a defined schedule.
