Hackers Target Remote Desktop Tools for Access to Healthcare Networks
The healthcare industry continues as the most attacked sector, and while cyberattacks have declined year over year, healthcare has seen the smallest decline out of all verticals, according to a new report from the cybersecurity firm SonicWall. According to its intrusion protection system data, attack volumes have declined between 17% and 56% year-over-year, with healthcare having the smallest decline of just 16.9%, compared to manufacturing at -56%.
Not only are hackers continuing to attack healthcare organizations in volume, but the gap between healthcare and other sectors is growing. According to SonicWall, hackers are continuing to target healthcare organizations because the returns are too reliable and the defenses are too predictable.
The report is based on data collected from more than 1 million SonicWall security sensors, with the latest “Code Red” report focused solely on the state of healthcare cybersecurity. Healthcare had the highest number of active ransomware groups conducting attacks out of all other verticals, with 10 groups hitting healthcare in H1 2026, and healthcare also topped the list for the highest number of malware hits per firewall – 102,209 in H1 2026 – which was more than four times the volume of the next most targeted sector.
SonicWall identified more than 243 unique attack signatures for targeting connected medical devices, and Log4j generated 11.4 million hits, despite being patched in 2021. The most common entry point into healthcare networks was remote desktop tools, which are the front door into healthcare networks and are often inadequately protected. A lack of multifactor authentication and credentials with broad access means that a single set of compromised credentials can result in a compromise of the entire environment.
SonicWall reports that in the first five months of this year, the UltraVNC buffer overflow signature generated more than 13.3 million hits in healthcare. UltraVNC is an open source, free-to-use, remote desktop tool for Windows. No other vertical had anywhere near that volume of hits, and no other sector had anywhere near as many attempted remote desktop attacks.
Healthcare is reliant on remote desktop tools for operations, as they support distributed clinical environments, telemedicine platforms, and third-party vendor access to medical equipment. The tools are internet-exposed, and often connect to clinical systems, electronic medical records, and connected devices, with access rarely restricted. A single set of remote access credentials can allow a hacker to access patient EHR databases, medical images, lab reports, medical IoT systems, and even backups and recovery data.
The problem is not the remote access tools themselves; it’s the lack of appropriate controls and the fact that hackers have learned that these tools are just as useful for them as they are for the healthcare organizations that rely on them. If they are exposed to the internet, do not have MFA enabled, and lack network-level controls, they are an easy entry point into healthcare networks.
Medical IoT has created a sprawling attack surface, and one that security teams struggle to secure. Medical IoT devices often do not support security software, and are rarely patched, so vulnerabilities can remain unaddressed for long periods. For instance, the CVE-2021-36260 Hikvision command injection vulnerability is 5 years old, yet it remains open and is still being exploited in attacks. Further, medical IoT devices are often housed on the same network as patient records.
SonicWall recommends moving away from a virtual private network model to a zero-trust model, where identities are constantly re-verified, with credentials only granting application-level access; limiting UltraVNC and remote desktop protocol to VLANS, ensuring MFA is implemented for all remote access – including for vendors; and addressing legacy vulnerability exposure. That requires a comprehensive inventory of all clinical middleware and IoT firmware, patching on a defined schedule, and, if patching is not possible, ensuring unpatched devices are isolated.
