Application security, Risk Assessments/Management

HHS alerts to ongoing healthcare web app attacks, urges review of tactics

New HC3 guidance on healthcare web app attacks and remediation strategies shows telehealth platforms are among the most commonly targeted by these threat actors. ("Live telehealth demonstration ..." by CiscoANZ is licensed under CC BY 2.0.)

Healthcare entities are being urged to review tactics and potential remediation strategies for ongoing web application attack campaigns targeting the sector. The Department of Health and Human Services Cybersecurity Coordination Center shared insights into health sector impacts.

HC3 considers web apps programs stored on a remote server and delivered on a browser interface that require user interaction. Cyberattacks against these applications primarily involve direct targeting of the “most exposed infrastructure” or other vulnerability of an enterprise to create unintended or unanticipated behavior.

Web app attacks commonly rely on stolen credentials or exploit a known vulnerability. In healthcare, the most common web app attacks occur on patient portals, telehealth platforms, online pharmacies, electronic health records, health entities’ web-based email, and similar tech.

The new HC3 guidance details the most typical attack types used against web apps, including Distributed Denial of Service (DDoS) attacks. In healthcare, DDoS attacks are commonly motivated by political, hacktivist, or financial gain and rely on extortion tactics. The health sector bore the brunt of DDoS in 2021, driven by COVID-19 and school reopenings.

DDoS attacks are particularly effective in healthcare given the flood of network traffic that renders resources and web applications unusable. Threat actors will also leverage DDoS attacks as a foothold onto the network and to “deploy more sinister malware while distracting victims.”

For HC3, the concern is that healthcare’s web attacks can “impact the confidentiality, integrity, and availability of healthcare applications, systems, data, and resources.” Previous Verizon data showed there were 849 security incidents against healthcare entities last year, with web apps as the top vector.

Overall, ”Basic Web Application Attacks (BWAAs) have trended greater over the years in the healthcare sector and are more prominent than in other industries.” Previous successful healthcare web app attacks include the May 2021 Scripps Health cyberattack, the Kronos incident in January 2022, and the April 2014 cyberattack against Boston Children’s Hospital.

In light of these potential impacts and ongoing targeting, entities should review the HC3 report to identify the tools and tactics used to exploit public-facing applications, as well as the threat actors who target these vulnerabilities to establish an effective, proactive remediation plan.

The key defense mechanism for web app attacks is to build websites able to function as expected, even when under attack. HC3 notes that “the concept involves a collection of security controls engineered into a web application to protect its assets from potentially malicious agents.”

HC3 also provided its recommendations for protecting against these tactics, including automated vulnerability scanning, web app firewalls, and secure development testing where “security teams consider the threats and attacks that might have an impact on an application or product to help make it as secure as possible.”

The insights join two other newly released guides tailored to ongoing healthcare vendor risks and compliance with the Health Insurance Portability and Accountability Act Security rule.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.