HC3 warns of risk of web application attacks on healthcare organizations
The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has released guidance to help healthcare organizations protect against web application attacks.
Web applications have grown in popularity in healthcare in recent years and are used for patient portals, electronic medical record systems, scheduling appointments, accessing test results, patient tracking, online pharmacies, dental CAD systems, inventory management, etc. These apps are accessible through a standard web browser, however, unlike most websites, the user must authenticate with the app.
Web application attacks are carried out by financially motivated cybercriminals and state-sponsored Advanced Persistent Threat (APT) actors for a range of different nefarious activities. Attacks exploiting web application vulnerabilities have increased, and web application attacks are now the number one attack vector for healthcare, according to the 2022 Verizon Data Breach Investigations report.
Web application attacks most often target Internet-connected web servers and typically leverage stolen credentials to gain access to the application or exploit vulnerabilities in the application or underlying architecture. Web application attacks include cross-site scripting (XSS), SQL injection (SQLi), path traversal, local file inclusion, cross-site request forgery (CSRF), and XML external entity (XXE ). These attacks are carried out to gain access to sensitive data, to gain access to applications and networks for espionage or extortion purposes, such as ransomware attacks. The May 2021 ransomware attack on Scripps Health used a web application attack as an initial attack vector. The attack saw the EHR system and patient portal taken out of service for several weeks.
Distributed denial of service attacks on web applications can be carried out to deny access to the application. Comcast Business reports that in 2021, the healthcare industry was the industry most affected by DDoS attacks on web applications, with attacks increasing in response to the COVID-19 pandemic, vaccine availability, and drug openings. schools. DDoS attacks are usually carried out as a smokescreen. As IT teams battle to resolve the DDoS attack, their attention is elsewhere and malware is deployed across the network. DDoS attacks are also carried out by hacktivists. A major DDoS attack was carried out against Boston Children’s Hospital in April 2014 over the course of a week by a hacker in response to a child care issue. During this attack, individuals were blocked from accessing the appointment booking system, the fundraising site and the patient portal.
Like all software solutions, web applications may contain vulnerabilities that could be exploited by hackers remotely to gain access to the applications themselves or the underlying infrastructure and databases. When developing web applications, it is important to follow web application security best practices and design applications to continue to function as intended when under attack and to prevent access to assets by potentially malicious agents . Secure development practices can help prevent vulnerabilities from being introduced, and security measures should be implemented throughout the software development lifecycle to ensure that design-level flaws and software-level vulnerabilities implementation are corrected.
HC3 has suggested several mitigations to protect against web application attacks and limit the damage that can be caused. These include
- Automated vulnerability scanning and security testing
- Web application firewall to block malicious traffic
- Secure development testing
- CAPTCHA and connection limits
- Multi-factor authentication
- Connection Monitoring
- Tracing Compromised Credentials
Healthcare organizations should also refer to Healthcare Industry Cybersecurity Practices (HICPs), established under the HHS 405(d) program, to mitigate vulnerabilities in web applications, and software developers Web applications must refer to the OWASP Top 10, which is a standard awareness document. detailing the most critical security risks for web applications.