HC3 Notification on Increasing Web Application Attacks on Healthcare Providers

The Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HC3) has published data to help healthcare providers be secured from web application attacks.

Recently, web applications are well-accepted in health care and are used on electronic medical record systems, patient portals, booking systems, accessing test data, patient monitoring, inventory management, dental CAD systems, online pharmacies, etc. These applications are utilized using a regular internet browser, however, unlike most websites, the user must authenticate in order to utilize the application.

Financially motivated cyber threat actors and state-sponsored Advanced Persistent Threat (APT) actors perform web application attacks intended for various nefarious activities. More attacks exploit vulnerabilities in web applications. According to the 2022 Verizon Data Breach Investigations Report, web application attacks are presently the major healthcare attack vector.

Web application attacks usually aim for web-facing web servers and usually exploit stolen credentials to access the app or exploit vulnerabilities in the application or root structure. Web application attacks include path traversal, SQL injection (SQLi), cross-site request forgery (CSRF), cross-site scripting (XSS), XML external entity (XXE), and local file inclusion. Attackers, like those utilizing ransomware, could access sensitive data, access applications and systems for surveillance, or perform extortion. The Scripps Health ransomware attack in May 2021 involved a web app attack as the initial attack vector. Because of the attack, the EHR system and patient website were inaccessible for several weeks.

Distributed Denial of Service attacks on web applications could be conducted to deny app access. As per Comcast Business reports, the healthcare sector had the most web app DDoS attacks in 2021, with attacks rising due to the COVID-19 pandemic, supply of vaccines, and launching of schools. DDoS attacks are usually performed as a smokescreen. When IT teams try to resolve the DDoS attack, their distracted focus permits the use of malware on the system. DDoS attacks are also carried out by hacktivists. Boston Children’s Hospital experienced a serious DDoS attack in April 2014 in connection with a child custody issue. Because of the attack, the appointment booking system, fundraising site, and patient portal became inaccessible.

As in all software-based applications, web apps may have vulnerabilities that threat actors can exploit remotely to access the programs, the root system, or databases. When creating web apps, it is vital to follow web app security rules and create applications that function as needed when attacked, and steer clear of accessing resources with potential malicious agents. Safe development measures can help to prevent the inclusion of vulnerabilities. Safety precautions should be employed throughout the whole software development lifecycle to be sure design-level flaws and implementation-level problems are sorted out.

HC3 has recommended the following mitigations to ward off web app attacks and deal with the potential damage:

  • Use of firewalls to block malicious web traffic
  • Secure development testing
  • Automatic vulnerability tracking and security testing
  • CAPTCHA and login restrictions
  • Sign in log
  • Validation of compromised credentials
  • Multifactor authentication