Cyber Risks of Web Applications in the Healthcare Sector
According to IBM Security’s annual Cost of a Data Breach Report, the cost of a data breach in the healthcare sector in 2022 is at an all-time high – $10.1 million on average.
In May 2021, San Diego-based Scripps Health made headlines after it was revealed that it was a target of a ransomware attack. This incident forced the healthcare organization to take a large chunk of its IT system offline for a few weeks, leading to significant disruptions in patient care and the ability of staff to perform their daily tasks. However, prior to the ransomware attack, Scripps Health also suffered a massive data breach, with cybercriminals stealing the data of almost 150,000 patients. The stolen information consisted of names, addresses, birthdates, patient account numbers, clinical and treatment records, medical record numbers, and even Social Security numbers of some patients.
As a result of the attack, Scripps Health incurred $112.2 million in losses – $91.6 million in lost revenue and $21.1 million in recovery and remediation costs.
The annual Verizon Data Breach Investigations Report found that “basic web application attacks, miscellaneous errors and system intrusions were behind 76% of healthcare data breaches in 2021”.
Today, we will discuss web-based applications. While allowing healthcare providers to significantly increase their efficiency and improve patients’ experience, they come with a range of cybersecurity threats that organizations in this sector must be vigilant about.
The proliferation of web applications in the health sector
In the last decade, web applications have become established as one of the most important technological assets of healthcare providers. Web-based apps come in the form of online pharmacies, telehealth services, patient portals, EHR systems, patient monitoring applications with IoT devices, health insurance portals, remote consults, and inventory management systems.
These web applications have a slew of benefits: they enable healthcare organizations to increase efficiency and convenience; they assist medical professionals in making accurate and timely decisions and selecting suitable treatments; and, last but not least, web applications allow patients to track their records, health insurance matters, schedule appointments, order medicines, as well as be in contact with their doctors — all with a click of a button.
Cyber vulnerabilities of web-based applications
While web applications have been steadily growing in popularity for years now, the pandemic accelerated the usage of these apps. Unfortunately, it also increased the incidence and risk of cyber attacks on them. For example, when COVID vaccines were first rolled out, there was a 51% increase in web application attacks in this sector.
The most commonly exploited vulnerabilities of healthcare web applications are as follows:
- Injection flaws: Here, threat actors will try to attack databases or directories linked to web applications with untrusted or unfiltered data. They typically try to gain access to these spaces with input fields such as passwords or usernames. The two main types of attack vectors are SQL and LDAP injection attacks.
- Improper authentication: Authentication systems are kept in place to correctly identify and validate users. Failing to securely authenticate applications allows cybercriminals to bypass authorization procedures. Typical flaws include weak passwords and usernames, password stuffing, and data leaks from user accounts, among others.
- Poor encryption: The absence or improper implementation of cryptographic tools can lead to issues like insecure connections between apps and servers, and inadequate protection of critical and sensitive data.
- Cross-site request forgery (CSRF): Here, requests are sent along with the user’s session cookies and other relevant automated information to a vulnerable web application where the user is logged in. An attacker can then send a malicious link which, when opened, triggers a reaction, giving the attacker access to the victim’s information.
- Misconfigured security: This includes unpatched security flaws, unprotected files and directories, outdated software, etc. These practices open up vulnerabilities that can be utilized by threat actors to launch cyber attacks.
- Insecure direct object references: Exposure of a reference to any internal object such as user information, files, or a database key (in URL or FORM parameter) is a huge security flaw. Cybercriminals can manipulate this vulnerability to gain access to confidential information and databases.
Some of the most common methods of web application attacks are DDoS, ransomware, injection attacks, cross-site scripting (XSS), and brute force attacks.
How healthcare organizations can ensure the cybersecurity of web applications
- Organizations should follow the advice of HHS and employ automated vulnerability scanning and security testing tools that help discover, analyze and mitigate possible security vulnerabilities and misconfigurations. Additionally, they should implement secure development testing that evaluates the impacts of threats and attacks on web applications, allowing to gauge the required level of security and protection.
- Healthcare providers must regularly update all organizational application software and servers to the latest requirements to eliminate any vulnerabilities that cyber attackers could use to their advantage. Additionally, they should carefully monitor user activities on these applications to watch out for any suspicious behavior. Finally, for an extra layer of protection, they should deploy endpoint security programs and solutions on all system devices.
- Organizations should employ encryption and web application firewalls and keep them updated. This is in addition to such standard security tools such as antivirus, antimalware, MFAs, CAPTCHAS, as well as stronger passwords for user authentication.
- Healthcare institutions contain a lot of critical and personal data. This data must be stored on secure platforms with access being limited only to trusted employees. Additionally, we recommend investing in cybersecurity fundamentals such as zero-trust security, especially when handling confidential information.
- Healthcare providers should eliminate inactivated accounts from web applications and implement effective policies on how to manage data that is not in use anymore.
- Healthcare sector is at the top of the list for security breaches. A strong cyber insurance policy to cover any liabilities in the event of a security breach is a must.