The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has released information to assist healthcare companies to be protected against web application attacks.
In recent years, web applications have increased in acceptance in medical care and are employed for patient websites, electronic medical record systems, booking appointments, viewing test results, patient tracking, dental CAD systems, online pharmacies, inventory administration, and more. These programs are used via a standard web browser, but as opposed to the majority of websites, the user needs to authenticate to be able to use the application.
Financially driven cyber threat actors and state-sponsored Advanced Persistent Threat (APT) actors launch web application attacks for a variety of nefarious activities. There has been an increase in attacks taking advantage of vulnerabilities in web applications. Based on the 2022 Verizon Data Breach Investigations Report, web application attacks are currently the top healthcare attack vector.
Web application attacks most often target web-facing web servers and typically take advantage of stolen credentials to obtain access to the app or take advantage of vulnerabilities in the app or root structure. Web application attacks consist of SQL injection (SQLi), cross-site scripting (XSS), path traversal, cross-site request forgery (CSRF), local file inclusion, and XML external entity (XXE). Attackers, such as those using ransomware, can acquire access to sensitive information, access programs and networks for surveillance, or do extortion. The May 2021 ransomware attack on Scripps Health employed a web app attack as the preliminary attack vector. The attack made the EHR system and patient website inaccessible for a few weeks.
Distributed Denial of Service attacks on web apps may be performed to refuse access to the app. According to Comcast Business reports, in 2021, the healthcare industry was the most impacted by web app DDoS attacks, with attacks escalating because of the COVID-19 pandemic, availability of vaccines, and the opening of schools. DDoS attacks are frequently executed as a smokescreen. As IT teams struggle to fix the DDoS attack, their focus is somewhere else and malware is used on the system. DDoS attacks are likewise performed by hacktivists. Boston Children’s Hospital encountered a major DDoS attack in April 2014 by a hacker in relation to a child custody matter. In that attack, people could not access the appointment booking system, fundraising website, and patient site.
Just like all software-based programs, web apps may have vulnerabilities that can possibly be used remotely by threat actors to acquire access to the programs themselves or the root system and databases. Whenever designing web apps, it is essential to adhere to web app security guidelines and make the applications that function as required when they are attacked and to avoid access to resources by likely malicious agents. Safe development procedures could help to avoid the introduction of vulnerabilities. Safety measures must be applied throughout the entire software development lifecycle to make certain design-level defects and implementation-level vulnerabilities are sorted out.
HC3 has recommended a number of mitigations to defend against web app attacks and control the damage that may be prompted. These consist of
- Automatic vulnerability checking and security screening
- Web app firewalls for stopping malicious website traffic
- Safe development tests
- CAPTCHA and sign-in limitations
- Multifactor authentication
- Logon tracking
- Verification for compromised credentials information
Healthcare companies must also turn to the Health Industry Cybersecurity Practices (HICP), created under the HHS 405(d) program, with regard to mitigating vulnerabilities in web apps, while web app creators must turn to the OWASP Top 10, which is a conventional awareness document outlining the most crucial security threats to web apps.