The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued guidance to help healthcare organizations protect against web application attacks.
Web applications have grown in popularity in healthcare in recent years and are used for patient portals, electronic medical record systems, scheduling appointments, accessing test results, patient monitoring, online pharmacies, dental CAD systems, inventory management, and more. These applications are accessed through a standard web browser, however, in contrast to most websites, the user is required to authenticate to the application.
Web application attacks are conducted by financially motivated cybercriminals and state-sponsored Advanced Persistent Threat (APT) actors for a range of different nefarious activities. Attacks exploiting vulnerabilities in web applications have been increasing and web application attacks are now the number one healthcare attack vector, according to the 2022 Verizon Data Breach Investigations Report.
Web application attacks most commonly target internet-facing web servers and commonly leverage stolen credentials to gain access to the application or exploit vulnerabilities in the application or underlying architecture. Web application attacks include cross-site scripting (XSS), SQL injection (SQLi), path traversal, local file inclusion, cross-site request forgery (CSRF), and XML external entity (XXE). These attacks are conducted to gain access to sensitive data, to access applications and networks for espionage, or for extortion, such as ransomware attacks. The May 2021 ransomware attack on Scripps Health used a web application attack as the initial attack vector. The attack saw the EHR system and patient portal taken out of action for several weeks.
Distributed Denial of Service attacks on web applications may be conducted to deny access to the application. Comcast Business reports that in 2021, the healthcare sector was the industry most affected by DDoS attacks on web applications, with attacks increasing in response to the COVID-19 pandemic, vaccine availability, and school openings. DDoS attacks are commonly conducted as a smokescreen. While IT teams fight to resolve the DDoS attack, their attention is elsewhere and malware is deployed on the network. DDoS attacks are also conducted by hacktivists. A Major DDoS attack was conducted on Boston Children’s Hospital in April 2014 over the course of a week by a hacker in response to a child custody issue. In that attack, individuals were prevented from accessing the appointment scheduling system, fundraising site, and patient portal.
Like all software-based solutions, web applications may contain vulnerabilities that could potentially be exploited remotely by threat actors to gain access to the applications themselves or the underlying infrastructure and databases. When developing web applications, it is important to follow web application security best practices and design the applications to continue to function as expected when they come under attack and to prevent access to assets by potentially malicious agents. Secure development practices can help to prevent vulnerabilities from being introduced, and security measures should be implemented throughout the software development lifecycle to ensure that design-level flaws and implementation-level vulnerabilities are addressed.
HC3 has suggested several mitigations to protect against web application attacks and limit the harm that can be caused. These include
- Automated vulnerability scanning and security testing
- Web application firewalls for blocking malicious traffic
- Secure development testing
- CAPTCHA and login limits
- Multifactor authentication
- Logon monitoring
- Screening for compromised credentials
Healthcare organizations should also refer to the Health Industry Cybersecurity Practices (HICP), established under the HHS 405(d) program, for mitigating vulnerabilities in web applications, and web application developers should refer to the OWASP Top 10, which is a standard awareness document detailing the most critical security risks to web applications.