It’s one thing to target a web business with cyberattacks. It’s worse to disrupt education by, for example, attacking schools or colleges with DDoS attacks. But it’s hard to think of anything lower and more reprehensible than aiming an attack at a healthcare provider. While the other two targets could result in disruption, targeting an attack at a healthcare provider has the potential to cost lives.
Unfortunately, bad actors online are rarely bound by principles like morality — which may help explain why web application attacks have surged during the coronavirus pandemic.
In particular, these web app attacks boomed in December 2020 as the first COVID-19 vaccines were beginning to roll out and be administered around the world. Those organizations without the necessary security tools to protect against the likes of SQL injection attacks and others faced (and continue to face) potentially devastating consequences.
Web applications are vulnerable
Web applications are computer programs that run as part of websites. They refer to features such as login pages, support and product request forms, webmail and other apps that sit within web pages to provide additional functionality on websites. They are frequently used for capturing, processing, storing, and sending customer data. Web apps can be rapidly deployed at little cost and, important, will run on any operating system and browser, usually without requiring the user to install any additional software.
Unfortunately, as useful as web apps are, they are also vulnerable to attacks in certain cases. Four types of web app attacks ramped up in the healthcare sector last year. These included cross-site scripting (XSS) attacks, SQL injections, protocol manipulation attacks, and remote code execution/remote file inclusion. All can be extremely harmful to users, potentially resulting in unauthorized access of data or forcing the user to run malicious code.
Attacks are on the rise
An XSS attack targets users of web applications. They circumvent the Same Origin Policy (SOP), a crucial part of web application security designed to stop a web browser running scripts that access data from a different website. XSS attacks work by inserting malicious code onto a target website which then runs whenever that page is used. It could, for example, allow a hacker to pose as their victim in order to gain access to a web session. Where the user has privileged access this may enable them to compromise a website.
An SQL injection, meanwhile, refers to a web vulnerability that lets the attacker gain access to data they should not be able to see, potentially including users’ sensitive data. It does this by interfering with the manner in which an application makes queries to its database. It can be used by an attacker to modify or delete data, thereby fundamentally altering the content or behavior of a web app. In a worst case scenario, an SQL injection attack could give the attacker a long-term backdoor into a system, allowing them to leach everything from passwords to credit card details to confidential data over an extended period of time.
A protocol manipulation attack uses a particular communication protocol as a vector for carrying out an attack. Such attacks allow hackers to impersonate others in order to control session outcomes, ascertain sensitive information, and carry out other attacks.
Finally, a remote code execution (RCE) attack lets an attacker take over a computer or server by remotely running malicious code. This can allow them to view, alter or delete data, in addition to installing programs, or even creating entire new accounts with administrator rights. Such malware may be distributed in a number of ways, including by manipulating web apps to host a file that has been crafted to exploit a particular vulnerability. When the user accesses the web app, they expose themselves to the vulnerability.
Targeting healthcare organizations
There are multiple reasons why attackers might target healthcare organizations. For one, confidential patient information can be worth a lot of money to attackers, since they are able to sell it on easily and at a good price. Healthcare organizations may also have outdated security technology, compared with some other sectors.
Smaller budgets and worries about learning new systems can mean that some healthcare organizations are particularly vulnerable to attack, and likely to attract attackers. Such attacks can also be devastating in their consequences — both in terms of the potential fines organizations may face for exposing private medical information in the event of a data breach, and also the possible deadly implications of an attacker altering, deleting, or making inaccessible certain patient data.
Defending against attacks
It’s crucial, therefore, that healthcare web apps are properly secured. Luckily, the tools are available to help with this important task. A web application firewall (WAF) is an invaluable method of protecting against online threats. It uses a list of constantly updated signatures to address and protect against specific attack vectors and security vulnerabilities. Meanwhile, Runtime Application Self-Protection (RASP) protects applications by examining request payloads to determine whether or not a request is potentially malicious. This allows applications to defend themselves against attacks.
Unfortunately, bad actors and cybercriminals will continue to leverage chaotic, challenging situations (such as a global pandemic) to wreak havoc as best they can. This includes attacking the healthcare sector. Fortunately, by following the advice laid out above, organizations can be made aware of the risks — and, vitally, can do something proactively about it.