The healthcare sector in the UK is currently facing unprecedented challenges, as recent data from SonicWall reveals a staggering tenfold increase in cyberattacks in the first five months of 2026 compared to the entirety of 2025. This alarming surge has raised concerns about the resilience of the NHS and the broader healthcare environment, as the infrastructure is reportedly being “stress-tested to breaking point.”
According to SonicWall, a notable cybersecurity vendor that monitors the sector, the insights stem from its intrusion prevention system (IPS) sensors strategically deployed among healthcare clients across the UK. The IPS sensors have logged an astonishing 264,000 security incidents from January to May 2026, marking a sharp spike from the mere 27,000 incidents recorded throughout the previous year. This translates to an average of approximately 11,000 events per sensor, a statistic that highlights the severity of the situation and positions healthcare as the vertical most affected by such attacks.
The array of threats targeting the NHS is diverse, indicating both efforts to exploit long-standing vulnerabilities and more recent weaknesses. SonicWall’s data indicates that a significant 41% of all detected events were attempts to exploit the Log4Shell vulnerability, a notorious flaw in a widely used Java-based logging utility that was initially identified and patched in 2021. In addition, the data revealed attempts to exploit a critical remote code execution vulnerability known as React2Shell, targeting the React.js JavaScript library prevalent in newly deployed patient portals.
Further complicating the security landscape, approximately one-third (33%) of the sensors detected authentication bypass attacks aimed at F5 BIG-IP load balancers. These load balancers have become a frequent target, particularly due to their widespread deployment in health services.
The underlying challenges faced by healthcare organizations are multifaceted, as SonicWall emphasizes that many Java-based clinical applications are deeply integrated into the workflows of the NHS. Consequently, these systems cannot be patched or replaced in a routine fashion. The vendor noted, “The fact that [Log4j] remains the most active attack vector against UK healthcare environments in 2026 points to a straightforward problem: clinical Java middleware, patient-facing web applications, and legacy hospital IT systems have not been updated.”
This situation sheds light on the complexities of patching in a field where unanticipated downtime can severely impact patient care. SonicWall asserts that the ramifications of delay in addressing these vulnerabilities translate into heightened attack volumes, imperiling not just theoretical security but practical operational security as well.
Moreover, SonicWall posits that the rise in attacks could be linked to the exposure of new internet-connected infrastructures or an uptick in focused targeting efforts, possibly from state-sponsored actors such as those from Iran. The timing of this increase aligns closely with a global rise in attacks on industrial control systems (ICS) and operational technology (OT) systems in early 2026.
Spencer Starkey, EMEA executive vice president at SonicWall, expressed his concerns regarding a “double-edged crisis” facing the healthcare sector. He stated, “Attackers are targeting our hospitals and stress-testing them to breaking point.” He highlighted that antiquated, unpatched systems, colloquially referred to as “zombie tech,” continue to plague the NHS since administrators cannot simply take critical care systems offline for maintenance.
As hospitals rush to digitize their services, they inadvertently expose new vulnerabilities, particularly in patient portals. Starkey elaborated on this emerging threat landscape, stating, “Threat actors have clocked the gap between old and new, and they’re scanning for it relentlessly.”
In light of these significant challenges, the National Cyber Security Centre (NCSC) has recently initiated a proactive response by launching a new plan aimed at bolstering cyber resilience within the healthcare sector. This initiative seeks to address the urgent need for enhanced cybersecurity measures to better protect health services from potential cyber threats, underscoring the critical importance of safeguarding patient care in a rapidly evolving digital landscape.