Cybersecurity News

Web Application Attacks Threaten Healthcare Cybersecurity, HC3 Says

Web application attacks are becoming an increasingly popular cyberattack method and continue to threaten healthcare cybersecurity.

Web Application Attacks Threaten Healthcare Cybersecurity, HC3 Says

Source: Getty Images

By Jill McKeon

- The HHS Health Sector Cybersecurity Coordination Center (HC3) and the HHS 405(d) Program outlined the definition and characteristics of web application attacks and explored how they threaten healthcare cybersecurity in its latest brief.

The Verizon Business 2022 Data Breach Investigations Report (DBIR) showed a significant uptick in web application attacks in the past year, particularly in healthcare. Basic web application attacks overtook miscellaneous errors in causes of breaches in the healthcare sector. In fact, basic web application attacks, miscellaneous errors, and system intrusions represented 76 percent of all healthcare breaches.

HC3 defined a web application as “an application program that is stored on a remote server and delivered over the Internet through a browser interface.”

Examples include online forms, spreadsheets, email programs, patient portals, EHR systems, patient monitoring applications with IoT devices, and online pharmacies.

Basic web application attacks (BWAA) “primarily involve attacks that directly target an organization’s most exposed infrastructure, such as web servers,” the brief explained.

“Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.”

Often, these attacks rely on stolen credentials or a known vulnerability. Types of attacks include SQL injection, path traversal, DDoS attacks, and cross-site scripting (XSS). DDoS attacks became increasingly popular at the onset of the COVID-19 pandemic when threat actors shifted their targets from individuals to healthcare and government entities.

“DDoS attacks are extremely effective because they flood the victim’s network with traffic, rendering network resources, such as web applications, unusable,” the brief continued.

“DDoS attacks also may serve as a foothold for threat actors to deploy more sinister malware while distracting victims.”

HC3 noted that various state-sponsored threat groups and financially motivated cybercriminals are known to exploit public-facing applications.

To mitigate risk, HC3 suggested that organizations focus on enhancing web application security and take the following tips into consideration:

  • Automated vulnerability scanning and security testing helps organizations find, analyze and mitigate vulnerabilities and misconfigurations — hopefully before the actual attack occurs. This testing helps organizations identify security weaknesses that need to be resolved.
  • Web application firewalls are hardware and software solutions that protect against application security threats by filtering, monitoring and blocking malicious traffic from traveling to the web application. These tools are continuously updated with new rules designed to catch the latest attack and exploitation techniques.
  • Secure development testing is a practice in which security teams consider the threats and attacks that might have an impact on an application or product to help make it as secure as possible. Secure development testing can uncover the latest security risks and attack vectors early in the product’s lifecycle. It also helps in developing effective approaches to preventing website attacks and minimizing the consequences of breaches.

Beyond deploying web application firewalls to shield web applications from the internet, healthcare organizations may want to consider additional patient portal security measures as well. Implementing a CAPTCHA, establishing a login limit, and implementing multifactor authentication (MFA) can help mitigate risk.

“Web application attacks targeting healthcare entities can impact the confidentiality, integrity, and availability of healthcare applications, systems, data, and resources,” the brief warned.

“Even though there are a variety of web application attacks, there are also processes, technologies and methods to protect against them."