New research shows medical facilities face more ransomware families and remote access threats than any other sector.
SonicWall released its 2026 Healthcare Protect Brief, revealing that healthcare remains the most persistently targeted industry in its global telemetry. While attack volumes across the sectors tracked declined between 23% and 56% year-over-year, healthcare recorded the smallest decline at 17%.
The report indicates that the gap between healthcare and other sectors is widening. Michael Crean, senior vice president of managed services at SonicWall, notes that the targeting of hospitals is a calculated decision by attackers who understand the critical nature of medical operations.
“Hospitals cannot go dark, downtime is measured in patient outcomes, and the pressure to pay is unlike anything in any other sector,” says Crean in a release. “None of that changes until healthcare stops relying on security architectures built for a world that no longer exists and starts treating Zero Trust not as a future initiative, but as the baseline they needed yesterday.”
Structural Vulnerabilities and Ransomware
According to the brief, healthcare faces three primary structural problems: internet-exposed remote desktop tools, a large Internet of Things footprint, and legacy virtual private network architectures. These vulnerabilities allowed 10 active ransomware families to operate simultaneously against healthcare in the first half of 2026, according to the report, which is more than any other tracked industry.
Remote desktop tools, which are used for telemedicine and third-party vendor access, generated 13.3 million UltraVNC exploitation attempts in the first five months of 2026. SonicWall researchers also identified 243 unique attack signatures targeting connected medical devices. Many of these devices share network segments with clinical systems but cannot be patched or run endpoint security agents.
“Healthcare does not have a cybersecurity problem. It has three of them, and attackers have figured out how to use all of them at the same time,” says Crean in a release.
The Persistence of Legacy Threats
The research shows that older vulnerabilities continue to pose risks to medical networks. For example, Log4j generated 11.4 million hits despite a patch being available since 2021. Additionally, a vulnerability from 2021 affecting Hikvision devices continues to generate millions of detection events in 2026.
Malware hits per firewall reached 102,209 in the first half of 2026. This rate is four times higher than the next-highest industry vertical, according to the report.
Implementing Zero Trust at Scale
To address these risks, the report suggests adopting Zero Trust principles that grant application-level access only and continuously verify identity and device posture.
Fornida, a SonicWall partner, implemented this architecture for ExaltHealth across five operating rehabilitation hospitals. The security protocols were included in a standardized playbook used when opening new facilities to ensure that security is not an afterthought.
“By the third facility, Zero Trust was built into our standard playbook. Five hospitals operating. Eight more planned. That only works if security is a system, not a fire drill,” says Farzad Vahid, CEO of Fornida, in a release.
The 2026 Healthcare Protect Brief is the first in a series of industry-specific reports from SonicWall following the release of its annual cyber protect report earlier this year.
ID 227809831 © Wave Break Media Ltd | Dreamstime.com
