Code Red: Healthcare Can't Pull the Plug On Its Cybersecurity Problem

The Healthcare industry can never go dark, nor can the people trying to break into it.

Most industries get a slow season. Retail cools off after the holidays. Finance quiets down between earnings cycles. Even cybercriminals, apparently, take a breather, as attack volumes across most verticals dropped between 17% and 56% year-over-year in SonicWall's 2026 threat data.

Healthcare dropped dead last amongst tracked verticals.

Here's the thing about healthcare that attackers figured out a long time ago: the customers never stop showing up. Patients don't reschedule emergencies. Hospitals don't post "back in five minutes" signs. The industry runs 24/7/365 by necessity, which means the pressure to keep systems online or to restore them fast when they go down is unlike anything in any other sector. Threat actors aren't targeting healthcare because it's easy. They're targeting it because it reliably pays. And as long as that math holds, they're not going anywhere.

The Front Door Nobody's Watching

So what exactly are attackers doing once they decide to show up?

The most striking finding in the healthcare telemetry is how they're getting in. An UltraVNC buffer overflow signature generated 13.3 million hits in just the first five months of 2026 — a number that didn't crack the top ten for any other vertical. It's a healthcare-specific phenomenon, and the reason is structural.

Healthcare has always depended on remote management. Distributed clinics, telemedicine platforms, third-party vendors accessing imaging equipment and infusion pumps. Remote connectivity isn't a convenience; it's operational. But when those tools are exposed to the internet without layered controls, they become the most predictable entry point in the environment. And the compounding problem with traditional VPN-based access is what happens after someone gets in. Credentials validated, broad network access granted. From there, the path to EHR systems, billing records, and connected devices is rarely restricted. One stolen login doesn't just unlock one application. It unlocks the building.

The Devices That Can't Be Fixed

Meanwhile, healthcare's Internet of Things (IoT) footprint is expanding faster than security teams can govern it. SonicWall detected exploitation attempts across 243 unique attack signatures tied to connected medical devices — infusion pumps, patient monitors, imaging systems, building controls. Most of these devices can't run endpoint agents, don't receive patches on a predictable schedule, and often share network segments with clinical systems.

A Hikvision command injection vulnerability disclosed in 2021 is still generating millions of detection events in 2026. Legacy vulnerabilities don't expire. When the devices carrying them can't be patched or replaced, they remain permanently available to anyone running an automated scanner. That's not a hypothetical risk, it's an ongoing, documented reality.

Ten Families, One Target

Then there's ransomware, which in healthcare isn't just a blunt instrument. It's a deliberate strategy.

Ten active ransomware families were detected targeting healthcare in the first half of 2026. Gandcrab, Ryuk, VHDLocker, JobCrypter, Filecoder and more.

Not one group. Ten. Operating simultaneously against a single vertical.

That's not spray-and-pray opportunism. That's a calculated market. Ransomware groups understand something that security teams sometimes struggle to communicate upward: healthcare organizations can't absorb extended downtime. Delayed surgeries, inaccessible patient records, disabled clinical systems — the pressure to restore operations is immediate and enormous. The probability of payment is higher. The returns are more reliable. So, attackers keep showing up.

The Reprieve Isn't Coming

None of this is meant to be paralyzing. The structural vulnerabilities are well understood, and the controls that address them exist. The challenge is that too many healthcare organizations are still operating on security architectures designed for a different threat environment. An environment of ye olden times. One where the perimeter was the office, the workforce was on-site, and access was binary.

That model doesn't hold anymore. Remote access is here to stay. Distributed workforces are here to stay. IoT proliferation is accelerating, not slowing down. Attackers have decided that healthcare is worth staying for, and the organizations that recognize that dynamic are the ones building security postures that match the actual threat. Because these attackers aren't going anywhere. Critical condition could be the status quo.

The full picture is in SonicWall's 2026 Healthcare Protect Brief — including specific attack data, IoT exposure analysis, and a practical framework for reducing your attack surface.