HHS calls for added security in latest threat brief on apps such as patient portals, telehealth.
Web applications such as patient portals, telehealth services and online pharmacies can become openings for computer network attacks against physicians and health systems, according to federal experts.
The U.S. Department of Health and Human Services (HHS) issued the warnings and potential security upgrades in its latest threat brief, “Web Application Attacks in Healthcare.” HHS offers guidance through its Office of Information Security and the Health Sector Cybersecurity Coordination Center (HC3).
“Even though there are a variety of web application attacks, there are also processes, technologies and methods to protect against them,” the threat brief said.
Web apps in use
Web apps are application programs “stored on a remote server and delivered over the Internet through a browser interface,” according to the official definition. Those exist as online forms, shopping carts, word processors, spreadsheets, video and photo editing programs, file convertors, file scanners and email programs including Gmail, the threat brief said.
In medicine, examples include patient portals, electronic health record (HER) systems, web-based email, medical resources for doctors and clinical decision support, computer aided design systems for dentists, health insurance portals and inventory management systems.
Basic web application attacks may target an organization’s web servers through Internet-facing computers or programs, using software, data and commands. There are numerous types of attacks that can lead to hackers gaining access to view and alter records, or possibly act as a database administrator, according to HC3.
One example is a distributed denial of service (DDoS) attack, regarded as “extremely effective because they flood the victim’s network with traffic, rendering network resources, such as web applications, unusable,” the threat brief said. DDoS attacks also may serve as a distraction, allowing hackers to deploy more sinister malware.
Examples from health care
In 2021, web apps were the main vector in cyberattacks against the health care sector, in 849 incidents, including 571 with confirmed data disclosure, according to HC3, which cited the 2022 Data Breach Investigations Report by Verizon.
Examples include an incident from January, when a ransomware attack on a human resources and payroll vendor disrupted paychecks for the health care workforce of a system. In May 2021, a ransomware attack took down the patient portal of a California hospital system.
Historically, the best known example of a web app attack may be from 2014, when DDoS attacks hurt the online presence of the Wayside Youth and Family Support Network and the Boston Children’s Hospital, which claimed a cost of more than $300,000 and lost donations worth another $300,000. In 2018, a federal jury convicted a “hacktivist,” claiming affiliation with the online group Anonymous, for targeting the facilities due to a custody dispute between the state and the parents of a girl admitted as a ward of the state. HC3 cited that example and the U.S. Department of Justice published a news release on that conviction.
Computer system administrators have a variety of processes and technology to protect against web app attacks, according to HC3:
- Automated vulnerability scanning and security testing helps organizations find and strengthen security weaknesses.
- Web app firewalls are hardware and software solutions to filter, monitor and block malicious traffic from traveling to the web app.
- Secure development testing is a practice to consider threats and attacks and make web apps as secure as possible.
HC3 offered basic recommendations to secure patient portals:
- Implement a CAPTCHA, the online tests used to tell human users and computers apart.
- Establish a login limit.
- Use login monitoring.
- Screen for compromised credentials.
- Implement multifactor authentication (MFA), which requires a combination of two or more credentials to verify a user’s login. The federal Cybersecurity & Infrastructure Security Agency has a fact sheet dedicated to MFA, and HC3 offered a list of best practices and a number of free or low-cost resources for cybersecurity.