The Threat of Distributed Denial-Of-Service Attacks in Healthcare

November 04, 2021 - Distributed denial-of-service (DDoS) attacks flood a victim’s network with traffic, rendering network resources unusable. Often, DDoS attacks serve as a distraction while bad actors deploy more sinister malware on their victim’s network.

For healthcare, a DDoS attack may bar access to critical services such as bed capacity and data sharing services, along with appointment scheduling services.

In late October, the FBI released a flash alert warning organizations of Hello Kitty/FiveHands ransomware. The ransomware group is known to launch DDoS attacks on its victim’s public-facing websites if the victim does not respond quickly or refuses to pay the ransom requested in the initial attack.

The pandemic created the perfect storm for ransomware and DDoS attacks, Bob Rudis, chief data scientist at Rapid7, told HealthITSecurity.

“It's the perfect convergence of ease of use of the ransomware toolkits and hospitals being more overwhelmed with cases because of the pandemic,” Rudis said.

“Hospitals have developed new strategies and are getting better at backing up and restoring data, which is great. But the criminals are just going to get more creative as time goes by.”

While it is impossible to guarantee safety from all cyber vulnerabilities, understanding what a DDoS attack is, quantifying the risks they pose to healthcare, and investing in technical safeguards could save organizations from more serious damage.

What is a DDoS attack?

A standard denial-of-service (DoS) attack occurs when threat actors overwhelm a network server with traffic to the point that legitimate users are unable to access information systems or devices, the Cybersecurity & Infrastructure Security Agency’s (CISA) website states.

The attacker will likely flood the server with illegitimate service requests containing fabricated return addresses, which will confuse the server when it tries to authenticate the requester.

While the servers are preoccupied, the victim’s network resources are unusable.

A DDoS attack occurs when multiple machines are working together to attack one target. Typically threat actors will use botnets—a group of hijacked devices connected to the internet—to take advantage of device vulnerabilities and gain control.

Once in control, the attacker can command the botnet to conduct a DDoS on its victim. DDoS attacks allow for significantly more requests to be sent than a traditional DoS attack, increasing the attack power.

“There are other ways of doing denial-of-service attacks, but they don't have to use the new ways because the existing way works really, really well for everybody,” Rudis explained. “And it's easy to do because they have thousands of bots they can pull from, which also is one reason why it is really hard to stop it.”

DDoS attacks have increased in popularity as more IoT devices come online. IoT devices often have shaky IT security postures and attackers can easily compromise them.

Often, DDoS attacks are used as smokescreens to distract victims while threat actors deploy more malicious infiltrations, such as ransomware.

DDoS attacks have the ability to halt business operations and deny access to vital IT resources. For healthcare, this type of attack can have a detrimental impact on patient care and safety.

What risks do DDoS attacks pose to healthcare?

The healthcare sector is especially vulnerable to paying a ransom because there are lives on the line. Attackers can get a massive return on their investment by targeting the healthcare and finance sectors, meaning they are prime targets for sophisticated attacks.

A recent survey found that 80 percent of chief information security officers (CISOs) would consider paying the ransom if attacked.

“The attackers are going to go after whatever they can see,” Rudis warned. “There is a huge strain on healthcare networks to either pay a ransom or have really good backup and recovery procedures. Most don't have the latter.”

Bad actors often initially access healthcare networks through phishing or by taking advantage of vulnerabilities and obtaining privileges from organizations that fail to implement multi-factor authentication, Rudis explained.

If an initial ransomware attempt does not yield a payment, attackers will then commit a DDoS attack on the provider’s website to further the turmoil and block access to crucial services.

“For a lot of providers, their website is the way patients view upcoming appointments and schedule COVID vaccines. A DDoS attack will basically make the website unavailable, meaning that no one can schedule services,” Rudis continued.

There is also a risk of threat actors targeting internal systems, although this is less common than a DDoS attack on external systems.

“An internal DDoS is almost easier than an outside one because if they control a bunch of individual systems internally, they can do the same denial-of-service against those,” Rudis noted.

There are also risks associated with data stored on cloud servers.

“They can just hit the cloud provider, or wherever they have that data hosted, and knock out that API endpoint where everything is uploading to,” Rudis maintained.

There is a common misconception that cloud storage is inherently more secure. While storing data in the public cloud is associated with a lower risk of experiencing a ransomware attack, security concerns remain. Organizations should remain vigilant and make sure to conduct third-party risk assessments.

How can healthcare organizations mitigate DDoS attack risks?

“Most organizations can't afford to DDoS protect everything,” Rudis remarked. “So, they will pick the things that are the most critical services that they have to keep going, put that behind DDoS protection and hope that actually covers them from what they actually need to do.”

However, IT budgets are tight, and an industry-wide shortage of cybersecurity workers puts an additional strain on healthcare organizations. Recent research from (ISC)² found that the cybersecurity workforce must grow by 65 percent in order to adequately protect critical assets.

“It's one more thing that healthcare organizations have to manage, on top of all the other things that they have to deal with right now,” Rudis emphasized.

“They are stressed to the limit with IT, they are stressed to limit with all the other stuff that they need to actually provide care. This is one more thing they've got a scrounge budget for. I just see it really being tough for folks to be able to keep moving with these things, especially since it's probably not going to stop for the next two to five years.”

As organizations improve their cybersecurity postures and continue to implement new safeguards, attackers will likely become more innovative. Rudis recommended implementing multi-factor authentication VPNs and other preventive measures.

“Find those external things that you rely on and that you have control over and spend the money and the time to get those things protected behind some kind of DDoS protection service,” Rudis advised.

“Then, talk to your cloud providers about it because we'll probably see a cloud provider get ransomed before we'll see an internal diagnostic machine get DDoS ransomed. Make sure that they've got good communication with third parties they’re using, and make sure that they've got good protection on their side, too.”

Rudis stressed the importance of financially prioritizing cybersecurity measures, despite the steep upfront costs. A DDoS attack may just be the beginning of a threat actor’s attempt at infiltration, and healthcare organizations should do everything in their power to protect their networks and patients from harm.