Feds Urge Health Sector Entities to Guard Against DDoSHHS Guidance Comes After Attack Campaigns by Russian Nuisance Hackers
Weeks after a wave of distributed denial-of-service attacks from Russian nuisance hacking group KillNet temporarily disabled access to dozens of American hospital websites, federal authorities are urging the healthcare sector to stay vigilant.
The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in guidance issued Monday warns healthcare sector entities of the serious disruptions and "detrimental impact" on patient care potentially resulting from DDoS attacks by threat actors, including pro-Kremlin group KillNet.
DDoS attacks are becoming more sophisticated and complex while getting easier and cheaper to perpetrate as cybercriminals take advantage of the sheer number of insecure internet-connected devices, HHS HC3 writes.
The attacks also are often a precursor to "a much larger nefarious plot" of a threat actor, HHS HC3 warns. "Often, DDoS attacks are used as smokescreens to divert a target victim's attention and resources while threat actors deploy potentially more malicious attacks," the agency writes.
KillNet's recent onslaught of attacks appears to have had minimal effect. A government spokeswoman told The Record that were no reports of unauthorized access to hospital networks, disruptions to health care delivery or impacts on patient safety.
The KillNet group, whose name comes from a tool used to initiate DDoS attacks, has launched a slew of them against Western targets since Russia escalated its invasion of Ukraine in February 2022.
The attacks have mostly been an irritation rather than a serious threat, incapacitating public-facing websites for a short period of time. The group, which organizes on Telegram, late last month targeted dozens of hospitals and healthcare sector entities with DDoS attacks over several days (see: HHS, AHA Warn of Surge in Russian DDoS Attacks on Hospitals).
KillNet describes its DDoS attacks as retaliation for foreign countries' support for Ukraine in Russia's war.
"KillNet actors may perceive healthcare organizations as particularly vulnerable to the disruptive effects of DDoS attacks on the often time-sensitive clinical services that they provide. Delays in treating critical or otherwise high-priority patients due to DDoS-related disruptions could have significant adverse impacts on patient outcomes," says Paul Prudhomme, head of threat intelligence advisory at security firm Rapid7.
The next round of attacks could have greater impact, warn cybersecurity experts, particularly if they incapacitate patient portals, says Jess Parnell, vice president of security operations at threat intelligence firm Centripetal.
Such cyber assaults "could inflict physical harm if people can't get access to their medical records or medical prescriptions," says Parnell, who previously managed security operation services at HHS during the rollout of the Affordable Care Act's HealthCare.gov.
Web App Risks
Application layer DDoS attacks, and specifically ransom DDoS attacks, are "on an uptick," HHS HC3 states, "Adversaries will use web application attacks, such as DDoS attacks, to target an organization’s most exposed infrastructure, such as web servers, to exploit a weakness in an internet-facing computer or software."
Web application security and sourcing should be a top security priority for healthcare entities, HHS HC3 advises.
"Healthcare organizations should sanitize, increase resource availability, implement cross-site scripting and cross-site request forgery protections, implement Content Security Policy, and audit third-party code," the agency says.
"Additional steps include running static and dynamic security scans against the website code and system, deploying web application firewalls, leveraging content delivery networks to protect against malicious web traffic, and providing load balancing and resilience against high amounts of traffic."
Healthcare entities should also be aware of the DDoS risks that third-party vendors may pose, says Dustin Hutchison, CISO at security firm Pondurance. "Healthcare entities need to understand the scope and control of their web presence, including patient portals that are hosted and managed by third parties," he says.
"In the case of a third-party managed site, DDoS protection should be a requirement prior to implementation. The risk of downtime affecting patient care or revenue generation should be a part of the procurement and risk assessment process," he says.
While federal authorities warn that ransomware and other cyberattacks will continue to plague the healthcare sector in the months ahead, entities can fight back against these trends, says John Riggi, national adviser for cybersecurity and risk at the American Hospital Association.
"The good news is that attention to cybersecurity basics such as email security, security of remote access technologies, patching and robust third-party risk management programs will go a long way in reducing the risk of cyberattacks in 2023 and beyond," he says.