Healthcare web applications provide access for patients to make appointments and obtain copies of test results and medical records – but they may also put your practice at serious risk of a data breach.
In an advisory issued on July 21, 2022, the Department of Health and Human Services Health Sector Cybersecurity Coordination Center warned that hackers often leverage stolen credentials or exploit a known vulnerability in attacks involving healthcare web applications.
What are web applications?
Web applications, often called web apps, are application programs stored on a remote server and delivered over the internet. While a website is designed to simply share information with the viewer, a web app is intended for interaction. Things like website forms, shopping carts, word processors, and editors are examples of web applications.
Examples of web applications in healthcare
The healthcare sector uses many different kinds of web applications to allow patients, providers, and insurance companies to easily and efficiently access information.
Patient-facing healthcare web applications at risk include patient and health insurance portals, telehealth services, online pharmacies, and electronic health records, among others.
Additionally, clinics and hospitals also face risk when it comes to webmail services, medical resources for doctors and clinical decision support, computer-aided design (CAD) systems for dentists, and inventory management systems in hospitals.
What are healthcare web application attacks?
Healthcare web apps attacks often involve attacks directly targeting the organization’s most exposed infrastructure, usually web servers. Attackers can attempt to take advantage of vulnerabilities in an internet-connected computer or program using software, data, or commands. The goal is to cause unintended or unexpected behavior. The attacks routinely leverage stolen credentials and/or exploit known vulnerabilities, making it crucial that healthcare web app administrators implement strong password practices and routine patching.
Types of web application attacks
Healthcare web applications are susceptible to the same kinds of web app attacks faced by other industries. Common threats include injection like cross-site scripting (XSS) and SQL injection (SQLi), path traversal, local file inclusion, DDoS attacks, cross-site request forgery (CSRF), and XML external entity (XXE).
Motivations for healthcare web app attacks
Cyber threat actors are often motivated by ideological and financial motives. Healthcare records can command a higher price on the black market than other types of personally identifiable information (PII) and thus are more lucrative for individual and hacker groups. In fact, according to the 2022 Verizon Data Breach Investigations Report 95% of cyberattacks on the healthcare industry were financially motivated.
Examples of healthcare web app breaches
April 2014 Hacktivist collective “Anonymous” attacked Boston Children’s Hospital after a doctor at the hospital diagnosed medical child-abuse charges and recommended patient remain a ward of the state. This resulted in the hospital’s appointment scheduling system, fundraising site, and patient portal becoming unavailable to patients and staff.
September 2020 Universal Health Services (UHS), a large provider with 400 hospitals and behavioral health facilities in the US and UK came under attack with some hospitals having to resort to reverting to paper information records. In some cases, patients were diverted and services suspended, however no patient or employee information appeared to have been compromised.
May 2021 Nonprofit San Diego-based hospital system, Scripps Health, was attacked causing $112.7 million in damages and lost revenue. The attack led to major disruptions in patient care and forced providers to revert to paper record keeping. The hackers were also able to make off with stolen data on nearly 150,000 patients.
July 2022 Hospital systems across Louisiana, Georgia, and Wisconsin faced separate cybersecurity breaches. Baton Rouge General, Jack Hughston Memorial Hospital, and Southwest Health Center all reported recent healthcare cyberattacks.
What should you do to protect your practice (or healthcare clients if you are an MSP)?
Confirm that your web-based applications are tested using the Open Web Application Security Project (OWASP) standard for secure coding. You should also have vulnerability scan and patching programs to look for other vulnerabilities that could be exploited in your network and review the configuration of your firewalls to ensure that appropriate geographic filtering and known malicious sites are being blocked. Threat monitoring using a Security Operations Center (SOC) can help detect anything unusual that could indicate an attack.