HHS offers tips to protect from web application attacks in healthcare

Editor's Note

The US Department of Health and Human Services (HSS) Health Sector Cybersecurity Coordination Center (HC3) released a new brief offering tips on how to protect healthcare organizations from basic web application attacks, the American Hospital Association (AHA) July 26 reports. These attacks target patient portals and expose patient data, often resulting in stolen credentials and other known vulnerabilities.

Web applications, in a nutshell:

• are programs stored on a remote server and delivered over the Internet through a browser interface
• include online forms, shopping carts, word processors, spreadsheets, video and photo editing, file conversion, file scanning, and email programs such as Gmail
• require user interaction and have a backend database with authentication and more.

“This type of attack, which involves cyber adversaries exploiting flaws in internet or public-facing websites such as patient portals, is a serious issue for healthcare,” said AHA’s national advisor for cybersecurity and risk, John Riggi. “These types of attacks have been leveraged in the past year to conduct high-impact ransomware attacks against at least one large health system and a major healthcare scheduling and payroll vendor, both of which disrupted health care delivery services for several weeks."