HHS calls for more security in the latest threat short of apps like patient portal, telehealth.
Web applications such as patient portals, telehealth services and online pharmacies can be openings for computer network attacks against doctors and health systems, according to federal experts. .
The US Department of Health and Human Services (HHS) has issued warnings and potential security upgrades on the latest threat brief, “Web Application Attacks in Healthcare.” HHS offers guidance through its Office of Information Security and the Health Sector Cybersecurity Coordination Center (HC3).
“Although there are various web application attacks, there are also processes, technologies and methods to protect against them,” the threat brief said.
Using web apps
Web apps are application programs that are “stored on a remote server and delivered over the Internet through a browser interface,” according to the official definition. There are online forms, shopping carts, word processors, spreadsheets, video and photo editing programs, file convertors, file scanners and email programs including Gmail, the threat said.
In medicine, examples include patient portals, electronic health record (HER) systems, web-based email, medical resources for physicians and clinical decision support, computer aided design systems for dentists, health insurance portals and inventory management systems.
Basic web application attacks can target an organization’s web servers through Internet-facing computers or programs, using software, data and commands. There are many types of attacks that can lead to hackers gaining access to view and modify records, or possibly act as a database administrator, according to HC3.
An example is a distributed denial of service (DDoS) attack, which is considered “more effective because they flood the victim’s network with traffic, making network resources, such as applications in web, which is unavailable,” the brief threat said. DDoS attacks can also serve as a distraction, allowing hackers to deploy more malicious malware.
Examples from health care
In 2021, web apps were the main vector of cyberattacks against the healthcare sector, in 849 incidents, including 571 with confirmed data disclosure, according to HC3, citing 2022 Data Verizon’s Breach Investigations Report.
Examples include an incident from January, when a ransomware attack on a human resources and payroll vendor disrupted payroll for a system’s health care workforce. In May 2021, a ransomware attack took out the patient portal of a California hospital system.
Historically, the best-known example of a web app attack may be from 2014, when DDoS attacks crippled the online presence of the Wayside Youth and Family Support Network and the Boston Children’s Hospital, which -claims of more than $300,000 and lost donations worth more. $300,000. In 2018, a federal jury convicted a “hacktivist,” who claimed to be affiliated with the online group Anonymous, for targeting facilities because of a custody dispute between the state and the parents of a girl admitted as a ward of the state. HC3 cited that example and the US Department of Justice published a news release on that conviction.
Computer system administrators have various processes and technologies to protect against web app attacks, according to HC3:
- Automated vulnerability scanning and security testing can help organizations find and strengthen security vulnerabilities.
- Web app firewalls are hardware and software solutions for filtering, monitoring and blocking malicious traffic from traveling to a web app.
- Secure development testing is the practice of considering threats and attacks and making web apps as secure as possible.
HC3 offers basic recommendations to secure patient portals:
- Implement a CAPTCHA, the online tests used to communicate between human users and computers.
- Set a login limit.
- Use login monitoring.
- Screen for compromised credentials.
- Implement multifactor authentication (MFA), which requires a combination of two or more credentials to authenticate a user’s login. The federal Cybersecurity & Infrastructure Security Agency has a fact sheet dedicated to MFA, and HC3 offers a list of best practices and several free or low-cost resources for cybersecurity.