Electronic Health Reporter

By Rob Falbo, vice president of healthcare solutions, Imperva. 

In most industries, an IT service outage can lead to lost revenue. In the healthcare industry, disruption of network or application services impacts critical patient care. In the past year, non-human web traffic spiked dramatically, a trend that should be concerning for any healthcare organization.   

Research conducted by cybersecurity company Imperva found that, in 2022, 35.8% of all US healthcare website traffic came from bad bots. These are malicious, automated software applications capable of high-speed abuse, misuse, and attacks. What’s more concerning is that 27.1% of bad bots were classified as “advanced.” This breed of bot is capable of using the latest evasion techniques, closely mimicking human behavior to avoid detection.  

 With bad bot traffic continuing to rise across the globe, it’s critical for healthcare organizations to understand the potential threat bad bots pose and the steps they can take to mitigate it. 

 How Attackers Are Hitting the Healthcare Industry 

 In February 2023, the US healthcare industry was put on edge as a spade of denial-of-service (DDoS) attacks were carried out against various healthcare organizations by the Pro-Russian hacktivist group Killnet.  

 DDoS attacks are designed to overload a network with traffic, making it difficult, even impossible, for patients to access essential services. The attacks are carried out by a collection of bots or hijacked machines, known as a botnet. This enables the attackers to harness the power of many machines and obscure the traffic source. Since traffic is distributed, it is difficult for security tools and teams to detect that a DDoS attack is occurring until it is too late. 

 This form of cyberattack can have a devastating impact on patient care. In healthcare, time is of the essence, especially when the electronic medical records (EMR) system, scheduling tool, or payment portal are impacted. The longer these services are incapacitated, the more serious the long-term consequences can be. In fact, providers might even put off procedures because of such disruption. 

 Rightfully, healthcare organizations have been focused on preventing DDoS attacks. However, an account takeover attack (ATO) is another serious threat that cannot be overlooked. These attacks are designed to steal a patient’s credentials by using leaked or stolen login information. Cybercriminals will employ bots to scale their efforts and carry out these attacks. In 2022, there was a 155% increase in account takeover (ATO) attacks over the previous year, underscoring how prevalent these attacks are becoming.  

 The healthcare industry is a ripe target for ATO because patient portal login pages are often built without two-factor authentication. This makes it easier for criminals to try password cracking or credential stuffing attacks, leveraging data from previous breaches in an effort to exploit reused passwords.   

 How Can Healthcare Organizations Mitigate Cybersecurity Attacks? 

 It starts with risk identification. Healthcare organizations need to understand which parts of their website and application functions attackers are likely to target. Login pages and payment portals require robust security measures to protect them. It’s also important to ensure that if a bot is blocked from accessing the website, it is blocked from the mobile application as well.  

 Healthcare organizations should monitor and evaluate traffic for signs of attack activity, such as abnormally high bounce rates, failed login attempts, or an unexplained spike in traffic from unknown IPs or requests to a specific URL. It’s also important to look for activity involving the use of outdated browsers, proxy servers, or automated tools like Selenium and Web Driver. While there are exceptions, these are generally associated with malicious, automated activity. 

 Healthcare organizations should have a well-established incident response plan, including a crisis communications plan, to inform patients and staff of an incident. A business continuity plan inclusive of backup systems and processes to ensure essential services are not disrupted, is also helpful when responding to DDoS attacks. 

 When making cybersecurity purchasing decisions, opt for cloud services versus anything that must be hosted on-premises. The latter requires the creation and implementation of manual rules whenever an attack occurs, or whenever a new CVE is released. This is challenging to do as healthcare organizations are often understaffed with limited resources.  

 There is also a misconception that having DDoS protection in front of the website is enough to protect the entire environment. To protect all critical assets, defenses must be in front of the website, DNS, and infrastructure. 

 Take the Necessary Steps to Reduce Risk 

 Bad bots make up an increasingly sizable percentage of all web traffic, and organizations in the healthcare industry are particularly vulnerable to their efforts. Healthcare organizations must recognize the growing bot problem they face and take the steps necessary to prepare for, detect, and mitigate bad bot traffic across their platforms. Bad bots have the potential to cause reputational damage, decreased revenue, and impact patient care. By recognizing the problem and taking corrective action, healthcare organizations can significantly reduce their risk and exposure.