Feds Warn Healthcare Sector of Web Application AttacksHHS HC3 Advises Medical Centers, Others to Mitigate Risks Involving Many Common Apps
Federal authorities are advising healthcare sector entities to batten down their patient portals and other common web applications from cyberattacks.
Healthcare web apps have exploded in popularity over the past decade, making patient access to medical records, test results and appointment scheduling increasingly an online experience.
The American Hospital Association says more than 9 out every 10 hospitals make use of patient portals. A 2020 survey of radiology patients found nearly half reported receiving imaging test results first through a portal, with only 40 percent reporting direct provider communication.
The potential downside is that many of the healthcare sector's most notable cyberattacks - including ransomware and distributed-denial-of-service attacks - have affected or involved web apps as a vector.
The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in an advisory issued on Thursday warns that hackers often leverage stolen credentials or exploit a known vulnerability in attacks involving healthcare web applications.
Among the most common types of healthcare web applications vulnerable to such attacks are patient and health insurance portals, telehealth services, online pharmacies, electronic health records, patient monitoring with IoT devices, webmail and hospital inventory management, HHS HC3 says.
Web App Attacks
The most recent Verizon Data Breach Investigation report found that web applications were the top attack vector in healthcare, HHS HC3 warns.
Basic web application attacks have trended greater over the years in the healthcare sector and are more prominent than in other industries, HHS HC3 writes.
Indeed, web applications offer a lot of potential entry points into an organization and access to valuable health data, says Benjamin Denkers, chief innovation officer at privacy and security consultancy CynergisTek.
"Threat actors can target the application itself, users, or even the infrastructure supporting the application," he adds. "The larger the attack surface an attacker has, the more likely a potential compromise could happen."
Among high-profile incidents involving healthcare web apps was a May 2021 ransomware attack on California-based Scripps Health. The attack resulted in the organization's electronic health record and patient portal being taken offline for several weeks.
A variety of state-sponsored advanced persistent threat groups and financially motivated cybercriminal groups are known to exploit public-facing web applications, HHS HC3 writes.
Healthcare sector entities should consider a number of approaches to help mitigate web application security vulnerabilities, HHS HC3 advises. Those include:
- Deploying automated vulnerability scanning and security testing to help identify, analyze and mitigate vulnerabilities and misconfigurations before an attack occurs;
- Implementing web application firewalls to protect against application security threats by filtering, monitoring and blocking malicious traffic from traveling to the web;
- Conducting secure development testing to assess the threats and attacks that might have an impact on an application or an associated product.
Additionally, not all web applications are created equal. "Poor software development life cycle practices are all too common, which leads to insecure applications and exposure of data," says CynergisTek's Denkers.
On the other hand, leveraging proper SDLC practices, with security built into the development phase, will go a long way in helping ensure applications are securely designed.
"It's always easier to add security in the beginning versus bolting it on later. Organizations also need to understand that application security is a not a one-time thing," he says.
Continuously validating controls and being able to adjust to attackers' evolving tools, techniques and procedures will require a continuous effort to maximize their chances in avoiding a potential compromise, he says.