HHS warns of ongoing attacks on healthcare web apps, urges review of tactics

Healthcare entities are encouraged to review potential remedial tactics and strategies for web application attack campaigns targeting the sector. The Department of Health and Human Services’ Cybersecurity Coordination Center shared information on the impacts on the health sector.

HC3 considers web application programs stored on a remote server and delivered to a browser interface that require user interaction. Cyberattacks against these applications primarily involve the direct targeting of a company’s “most exposed infrastructure” or other vulnerability to create unintended or unintended behavior.

Web application attacks typically rely on stolen credentials or exploit a known vulnerability. In healthcare, the most common web application attacks occur on patient portals, telehealth platforms, online pharmacies, electronic health records, healthcare entity web emails and similar technologies.

The new HC3 guide details the most common types of attacks used against web applications, including Distributed Denial of Service (DDoS) attacks. In healthcare, DDoS attacks are typically motivated by political, hacktivist, or financial gain and rely on extortion tactics. The healthcare sector was the hardest hit by DDoS attacks in 2021, driven by COVID-19 and school reopenings.

DDoS attacks are particularly effective in healthcare given the influx of network traffic that renders web resources and applications unusable. Threat actors will also leverage DDoS attacks to gain a foothold in the network and to “deploy more sinister malware while distracting victims.”

For HC3, the concern is that healthcare web attacks can “impact the confidentiality, integrity and availability of healthcare applications, systems, data and resources”. Previous data from Verizon showed there were 849 security incidents against healthcare facilities last year, with web applications being the main vector.

Overall, “basic web application attacks (BWAA) have increased over the years in healthcare and are more prominent than in other industries.” Previous successful healthcare web application attacks include the May 2021 Scripps Health cyberattack, the January 2022 Kronos incident, and the April 2014 cyberattack on Boston Children’s Hospital.

In light of these potential impacts and ongoing targeting, entities should review the HC3 report to identify the tools and tactics used to exploit public-facing applications, as well as the threat actors who are targeting these vulnerabilities in order to establish an effective and proactive remediation plan.

The primary defense mechanism against web application attacks is to create websites that can perform as expected, even under attack. HC3 notes that “the concept involves a set of security controls built into a web application to protect its assets from potentially malicious agents.”

HC3 also provided its recommendations to protect against these tactics, including automated vulnerability scanning, web application firewalls, and secure development testing where “security teams examine threats and attacks that could impact an application or product to help make it as secure as possible. possible.”

This information is in addition to two other recently released guides tailored to today’s health care provider risks and Health Insurance Portability and Accountability Act security rule compliance.

Lance B. Holton