Remote desktop tools offer hackers a front door to healthcare networks: report

Healthcare organizations rely on remote desktop tools for a variety of functions, from remote access to clinical systems to IT support and third-party vendor access to medical equipment. These tools are widely used and offer convenience. But without proper controls, they can become an easy entry point for hackers, a new report by cybersecurity company SonicWall found.

The report is an offshoot of the company's multi-industry threat report. The newly released version focused solely on healthcare and pulled data from SonicWall's global network of more than 1 million security sensors. It underscored the outsized volume of cyberattacks the healthcare industry currently faces.

"Healthcare is not just the most targeted vertical in SonicWall's 2026 telemetry; it's also the most persistently targeted," the report stated. "Attackers are targeting the healthcare industry more consistently than any other industry."

Other industries saw intrusion protection system attack volumes decline between 17% and 56% year-over-year. Meanwhile, healthcare hardly moved at -16.9%.

"Attackers are not leaving. They're staying because the returns are too reliable and the defenses too predictable," the report stated.

The data indicated that remote desktop exploitation was a key driver of persistent healthcare cyberattacks. In the first five months of 2026, the UltraVNC buffer overflow signature generated 13.3 million hits. UltraVNC is a free, open-source remote desktop tool for Windows.

No other industry saw remote desktop exploitation at the same scale, pointing to healthcare's reliance on remote management tools.

"VPN-based access compounds the risk. Once credentials are validated, broad network access is granted, and from there, the path to clinical systems, Electronic Health Record (EHR) databases and connected devices is rarely restricted," the report added.

"A stolen set of remote-access credentials does not just unlock one application. It unlocks the whole environment."

Remote desktop tools are not inherently bad, but threat actors have unfortunately realized that these tools can be just as useful to them as they are to the healthcare organizations that depend on them. What's more, when these systems are exposed to the internet without network-level controls or multifactor authentication, they become an easy entry point.

A 2023 alert by the HHS Health Sector Cybersecurity Coordination Center stressed the importance of securing remote access and management software, warning that "mitigating the risk associated with them is not as simple as deploying a patch or reconfiguring an application."

Threat actors might exploit vulnerabilities in remote access software, conduct brute-force attacks wherein they guess usernames and passwords, craft social engineering attacks or deploy ransomware.

HC3 recommended using MFA, regularly updating and patching software, leveraging network segmentation and monitoring access activities to mitigate risk.

SonicWall also emphasized the importance of these mitigations, adding that "a compromised credential should not mean a compromised network."

The report recommended shifting from a virtual private network model to a zero-trust model in which identities and devices are re-verified regularly and only application-level access is granted. SonicWall also recommended limiting UltraVNC and remote desktop protocol to internal VLANs and requiring MFA on all remote access, with no exceptions for vendor accounts.

Jill Hughes has covered health tech news since 2021. Her coverage areas include cybersecurity, HIPAA compliance, interoperability, AI and EHRs.