The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HC3 Warns of Risk of Web Application Attacks on Healthcare Organizations

Posted By on Jul 25, 2022

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued guidance to help healthcare organizations protect against web application attacks.

Web applications have grown in popularity in healthcare in recent years and are used for patient portals, electronic medical record systems, scheduling appointments, accessing test results, patient monitoring, online pharmacies, dental CAD systems, inventory management, and more. These applications are accessed through a standard web browser, however, in contrast to most websites, the user is required to authenticate to the application.

Web application attacks are conducted by financially motivated cybercriminals and state-sponsored Advanced Persistent Threat (APT) actors for a range of different nefarious activities. Attacks exploiting vulnerabilities in web applications have been increasing and web application attacks are now the number one healthcare attack vector, according to the 2022 Verizon Data Breach Investigations Report.

Web application attacks most commonly target internet-facing web servers and commonly leverage stolen credentials to gain access to the application or exploit vulnerabilities in the application or underlying architecture. Web application attacks include cross-site scripting (XSS), SQL injection (SQLi), path traversal, local file inclusion, cross-site request forgery (CSRF), and XML external entity (XXE). These attacks are conducted to gain access to sensitive data, to access applications and networks for espionage, or for extortion, such as ransomware attacks. The May 2021 ransomware attack on Scripps Health used a web application attack as the initial attack vector. The attack saw the EHR system and patient portal taken out of action for several weeks.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Distributed Denial of Service attacks on web applications may be conducted to deny access to the application. Comcast Business reports that in 2021, the healthcare sector was the industry most affected by DDoS attacks on web applications, with attacks increasing in response to the COVID-19 pandemic, vaccine availability, and school openings. DDoS attacks are commonly conducted as a smokescreen. While IT teams fight to resolve the DDoS attack, their attention is elsewhere and malware is deployed on the network. DDoS attacks are also conducted by hacktivists. A Major DDoS attack was conducted on Boston Children’s Hospital in April 2014 over the course of a week by a hacker in response to a child custody issue. In that attack, individuals were prevented from accessing the appointment scheduling system, fundraising site, and patient portal.

Like all software-based solutions, web applications may contain vulnerabilities that could potentially be exploited remotely by threat actors to gain access to the applications themselves or the underlying infrastructure and databases. When developing web applications, it is important to follow web application security best practices and design the applications to continue to function as expected when they come under attack and to prevent access to assets by potentially malicious agents. Secure development practices can help to prevent vulnerabilities from being introduced, and security measures should be implemented throughout the software development lifecycle to ensure that design-level flaws and implementation-level vulnerabilities are addressed.

HC3 has suggested several mitigations to protect against web application attacks and limit the harm that can be caused. These include

  • Automated vulnerability scanning and security testing
  • Web application firewalls for blocking malicious traffic
  • Secure development testing
  • CAPTCHA and login limits
  • Multifactor authentication
  • Logon monitoring
  • Screening for compromised credentials

Healthcare organizations should also refer to the Health Industry Cybersecurity Practices (HICP), established under the HHS 405(d) program, for mitigating vulnerabilities in web applications, and web application developers should refer to the OWASP Top 10, which is a standard awareness document detailing the most critical security risks to web applications.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist