Web applications provide a way to access cyberattacks in healthcare IT networks
HHS calls for increased security in latest dossier on threats to applications such as patient portals, telehealth.
According to federal experts, web applications such as patient portals, telehealth services and online pharmacies can become openings for computer network attacks on doctors and health systems.
The US Department of Health and Human Services (HHS) published the warnings and potential security upgrades in its latest threat brief, “Web Application Attacks in Healthcare.” HHS offers guidance through its Office of Information Security and the Healthcare Sector Cybersecurity Coordination Center (HC3).
“While there are a variety of web application attacks, there are also processes, technologies, and methods to protect against them,” the threat briefing states.
Web applications used
Web applications are application programs “stored on a remote server and served over the Internet via a browser interface”, according to the official definition. These exist as online forms, shopping carts, word processors, spreadsheets, video and photo editing programs, file converters, file scanners and email programs, including Gmail, according to the threat briefing.
In medicine, examples include patient portals, electronic health record (HER) systems, web-based email, medical resources for physicians and clinical decision support, aided design systems by computer for dentists, health insurance portals and inventory management systems.
Basic web application attacks can target an organization’s web servers through Internet-connected computers or programs, using software, data, and commands. According to HC3, there are many types of attacks that can give hackers access to view and modify records, or possibly act as a database administrator.
One example is a Distributed Denial of Service (DDoS) attack, which is considered “extremely effective because it floods the victim’s network with traffic, rendering network resources, such as web applications, unusable”, the threat report states. . DDoS attacks can also serve as a distraction, allowing hackers to deploy more sinister malware.
Examples from health care
In 2021, web applications were the top vector for cyberattacks against the healthcare industry, in 849 incidents, including 571 with confirmed data leaks, according to HC3, which cited Verizon’s 2022 Data Breach Investigations report.
Examples include an incident in January, when a ransomware attack on a human resources and payroll vendor disrupted a system’s healthcare staff paychecks. In May 2021, a ransomware attack destroyed the patient portal of a California hospital system.
Historically, perhaps the best-known example of a web application attack dates back to 2014, when DDoS attacks harmed the online presence of the Wayside Youth and Family Support Network and Boston Children’s Hospital, who demanded a cost over $300,000 and lost donations worth more. $300,000. In 2018, a federal jury convicted a ‘hacktivist’, claiming affiliation with the online group Anonymous, of targeting the facilities due to a custody dispute between the state and the parents of a girl admitted as a ward of the state. HC3 cited this example and the US Department of Justice issued a press release about this conviction.
IT system administrators have a variety of processes and technologies available to protect against web application attacks, according to HC3:
- Automated vulnerability scanning and security testing helps organizations detect and harden security weaknesses.
- Web application firewalls are hardware and software solutions to filter, monitor and block malicious traffic from going to the web application.
- Secure development testing is a practice for examining threats and attacks and making web applications as secure as possible.
HC3 offered basic recommendations for securing patient portals:
- Implement a CAPTCHA, the online tests used to distinguish human users from computers.
- Set a connection limit.
- Use connection monitoring.
- Filter compromised credentials.
- Implement multi-factor authentication (MFA), which requires a combination of two or more credentials to verify a user’s login. The Federal Agency for Cybersecurity and Infrastructure Security has a dedicated AMF factsheet, and HC3 has offered a list of best practices and a number of free or low-cost resources for cybersecurity.