The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has recently released a comprehensive guide that focuses on distributed denial of service (DDoS) attacks in the healthcare sector. This guide provides healthcare organizations with crucial insights into the nature of DDoS attacks and outlines effective measures to minimize the severity and consequences of such cyber threats. The HC3’s DDoS guide is an invaluable resource for healthcare professionals and IT security experts looking to enhance their cybersecurity strategies and safeguard their systems and data against potential attacks.
DDoS attacks have become a notorious cyber threat to organizations worldwide, and the healthcare sector is no exception. A DDoS attack is a type of resource exhaustion flooding attack that overwhelms the targeted server, service, or network by consuming its resources, such as bandwidth or computing power, to the extent that legitimate users cannot access the service. In the healthcare sector, DDoS attacks can be particularly damaging as they can disrupt critical medical services, which could lead to a denial of patient care and potential harm.
These attacks are often executed using botnets consisting of numerous compromised devices, such as computers and IoT devices, which flood the targeted IP address with a massive volume of malicious traffic, causing the service to become overwhelmed. Such attacks can cause a log jam that effectively denies normal traffic from reaching the targeted resource, which can persist for several hours and, in some cases, even several days.
Typically, DDoS attacks do not involve data theft or hardware damage themselves. However, they can serve as a smoke screen to distract security teams. While the security team is dealing with the DDoS attack, the threat actor may attempt a simultaneous attack on the system, such as a phishing attack, malware delivery, or data exfiltration. As such, DDoS attacks can pose a significant risk to healthcare organizations, as the attackers may use this as an opportunity to breach the system’s security and steal confidential data.
Furthermore, DDoS attacks can also be used as part of an extortion attack, where the attacker demands a ransom payment in exchange for stopping the attack. HC3 notes that ransom DDoS attacks are becoming increasingly common, with a 24% quarter-over-quarter increase and a 67% year-over-year increase. Healthcare organizations are particularly vulnerable to ransom DDoS attacks on web applications, such as patient portals, webmail, patient monitoring applications, and telehealth services, which are essential for providing medical services.
Recent cybersecurity reports have revealed that the healthcare and public health (HPH) sector is currently under attack by a pro-Russian hacktivist group known as Killnet. The group has been executing DDoS attacks on countries that are providing support to Ukraine, with a specific focus on hospitals and medical organizations in recent weeks. The potential consequences of a data breach or theft of confidential patient data are significant and could result in serious harm to the patients and healthcare organizations affected.
Given the potential harm that these attacks can cause to the healthcare sector, the HC3 has released a DDoS guide for the healthcare sector that recommends various strategies to prevent and mitigate the impact of DDoS attacks. The guide suggests healthcare organizations should conduct a methodical inventory of their critical assets, prioritize identifying services and devices that may be exposed to the public internet, and assess vulnerabilities and how users connect to networks. Engaging service providers, such as internet service providers (ISP) and cloud service providers, to develop a DDoS contingency plan is also recommended.
To mitigate the impact of DDoS attacks, healthcare organizations should review logs of servers, routers, firewalls, and applications for patterns, anomalies, and discrepancies. The guide also advises using a network analyzer to review traffic and coordinating with service providers to identify their visibility into an attack and mitigation assistance. Blocking traffic, terminating suspicious connections or processes, and adding server and network bandwidth are some of the measures recommended to mitigate the effects of a DDoS attack.
Finally, healthcare organizations have been advised to thoroughly document lessons learned after a DDoS attack and assess their preparedness to deal with future attacks. It is essential to evaluate relationships, both internal and external, to identify individuals and teams that can assist in planning and incident response. By following these recommendations, healthcare organizations can minimize the impact of DDoS attacks on patient care, ensure continuity of care, and protect their reputation and financial stability.