HHS Issues Warning Of Web Application Attacks

The Department of Health and Human Services’ Health Sector Cybersecurity Coordinator (HC3) has issued an alert on july 21 about an increase in the number of web application attacks on the healthcare sector. In the alert, the HC3 outlines guidelines to help healthcare organizations to protect their health data against web application attacks.

Web applications have become a significant proponent of the healthcare sector in recent years. The software has been utilized for patient portals, maintaining electronic medical record systems, CAD for dentists, remote consultation, predictive analysis, and inventory management. Web applications are accessed through a web browser such as Safari or Google Chrome. However, in contrast to other websites, web applications require user authentication for access. 

Web application attacks are characterized as any attempt by an unauthorized malicious actor to endanger the security of a web-based application. Basic web application attacks typically involve directly targeting an organization’s exposed infrastructure, like web servers. Other attacks include taking advantage of a weakness in an internet-facing computer that uses software or data to create unintended actions. Financially motivated cybercriminals or various state-sponsored APT groups will conduct these attacks for espionage, extortion. Examples of threat groups include APT28, BlackTech, BackdoorDiplomacy, and Night Dragon. 

Distributed Denial of Service attacks on web applications can be used to refuse access to the application. DDoS attacks are most prevalent in the healthcare industry. The number of basic web application attacks has progressively increased over the last few years. According to the HC3 alert, Verizon examined 849 total incidents. Among these incidents, 571 confirmed an unauthorized disclosure of data in the healthcare sector in 2021. In May 2021, the California hospital system was subject to a ransomware attack. As a result, the patient portal was removed from the internet and electronic health record downtime procedures were put in place. 

The HC3 has recommended a multitude of mitigations health organizations can implement to protect against web application attacks and reduce potential harm. These include Logon monitoring, screening for compromised credentials, secure development testing, automated vulnerability scanning and security testing, web application firewalls for blocking malicious traffic, multi factor authentication, and login limits. Health organizations have also been advised to follow web application security best practices and design applications to continue operations in the event of an attack when developing a new web application.