Rising Threat of DDoS Attacks in Healthcare
The global healthcare IT market is projected to reach $974.5 billion by 2027, highlighting the critical need for enhanced cybersecurity measures. Today, much of the healthcare industry’s work is digital, leveraging technology to execute medical procedures, store electronic medical records (EMR, or patient medical history maintained by a single provider) and electronic health records (EHR, or patient medical history maintained by multiple providers), send prescriptions, communicate with patients, and more.
Why Protect Against a DDoS Attack Before It Happens?
The Difference Between a DoS Attack and a DDoS Attack
Among these threats, the urgency of addressing DoS and DDoS attacks has never been greater. A Denial of Service (DoS) attack is a deliberate attempt to overwhelm and render a system unavailable to intended users, preventing access to a network or a website. A successful DoS attack consumes all available network, application, or system resources, typically causing a network slowdown, application crash, or server crash.
When multiple sources coordinate in a DoS attack, it is known as a DDoS attack. DDoS attacks are a popular tactic, technique, and procedure (TTP) used by hacktivists and cybercriminals to overwhelm a target’s network to the point of inoperability, causing chaos and confusion. This presents a severe problem for healthcare providers who need network access to provide proper patient care and to send and receive emails, prescriptions, records, and other data. Some DDoS attacks are opportunistic or even accidental, but many target victims for ideological, social, political, or financial reasons that anger the cyber threat actors.
Understanding DDoS Attacks
What is a DDoS Attack?
A Distributed Denial of Service attack, otherwise known as a DDoS attack, is a sub-category of a Denial of Service (DoS) attack that disrupts regular traffic to a server by overwhelming it with unsolicited data packets generated by various infected systems controlled under a botnet. There are three principal types of DDoS techniques:
- Volumetric attacks. These aim to consume available bandwidth.
- Protocol attacks. These exploit vulnerabilities in network protocols.
- Application attacks. These target vulnerabilities in specific applications or running services.
A DDoS attack can flood the system with uninvited traffic, leading to system downtime, which can have severe consequences, particularly for healthcare organizations where uninterrupted service is critical.
The negative impacts of a successful DDoS attack include, but aren’t limited to:
- Server and hosting interruptions can make essential healthcare services inaccessible, delaying critical patient care and potentially risking lives.
- Website vulnerability. Prolonged downtime can expose vulnerabilities in web applications, increasing the risk of further exploitation.
- Lost time and money. Recovery from a DDoS attack requires significant time and resources, diverting attention from patient care and strategic initiatives.
While all industries risk DDoS attacks, the healthcare sector is among the most targeted industries, accounting for 15.6% of attacks in 2023 – a noticeable spike since 2019. A network slowdown, application crash, or server crash can devastate a healthcare business. The cost of downtime alone can add up quickly. A recent survey by Radware found an average price of $6,130 per minute or $367,800 per hour. Of course, that does not include the other ramifications of successful DDoS attacks, including reputational harm and potential regulatory violations.
What DDoS Attack Methods Are Used
DDoS attacks occur in various ways, and grasping which type of attack is happening is vital to properly mitigating it. According to the Multi-State Information Sharing and Analysis Center (MS-ISAC), which publishes a guide to DDoS attacks, there are two regularly observed main methods of DDoS attacks: “Standard” and “Reflection.”
Standard DDoS Attack
A standard DDoS attack occurs when cyber threat actors direct substantial network traffic to a target server or network. MS-ISAC reports, “One of the ways a cybercriminal accomplishes this is by using a botnet to send the network traffic. A botnet is a large number of previously compromised devices (also known as “bots” or “zombies”) that can be controlled over the internet from a single location and directed to carry out specific actions. When a botnet is used to perform a DDoS attack, the cybercriminals send instructions to zombie machines connected to that botnet, thereby magnifying the scale of their attack. By leveraging a botnet, attackers enable a DDoS attack to originate from multiple networks and countries.” Standard DDoS Attacks include SYN Flood, UDP Flood, SMBLoris, ICMP Flood, and HTTP GET Flood.
Reflection DDoS Attack
A reflection DDoS attack occurs when attackers spoof their IP address to pose as the intended victim and send requests to public-facing servers. The responses to these requests are sent to the intended victim from legitimate servers. MS-ISAC states, “In addition to these methods, cybercriminals increase the effectiveness of their attacks with a technique known as ‘amplification.’ Most often used in conjunction with reflection attacks, amplification occurs when threat actors request large amounts of data from third-party systems to ensure that the response sent to the victim is larger than the request sent from the attacker.” This might occur when the attacker “spoofs its IP address, pretending to be the victim, and requests all known data from a public server. This results in the attacker sending a small request, but the public server responds to the victim with a large amount of data.”
Reflection DDoS Attack types include NTP Reflection Attack With Amplification, DNS Reflection Attack With Amplification, CLDAP Reflection Attack With Amplification, WordPress Pingback Reflection Attack With Amplification, SSDP Reflection Attack With Amplification, Microsoft SQL Reflection Attack With Amplification, and Memcached DDoS Attacks (Amplification).
Why Are DDoS Attacks on The Rise In the Healthcare Industry
Recommendations for DDoS Attack Mitigation
DDoS attacks can seriously overwhelm systems and disrupt your business and critical services that must operate continuously. Hospitals and medical facilities risk falling victim to these sophisticated cyber threats without robust security measures. With ensuring seamless operation set as the goal, healthcare organizations must remain vigilant and bolster their defenses against these advanced threats.
To effectively reduce the impact of DDoS attacks and ensure a quicker response when they occur, consider the following strategies:
- Partnerships with Service Providers. Refrain from being caught flat-footed! If you still need a relationship with an experienced provider to help you defend against a DDoS attack, selecting one now and keeping that provider on the team is essential. Developing and maintaining solid relationships with your upstream network service provider and companies specializing in DDoS mitigation is an excellent start. Understanding the support that they can offer during a DDoS attack is crucial. The quicker your provider can implement traffic blocks and mitigation strategies, the sooner your services will be available to legitimate users.
- Handling Attacking IP Addresses. During a DDoS attack, share the attacking IP addresses with your upstream network service provider for immediate restrictions. Use tools like the American Registry for Internet Numbers (ARIN) to identify the sources of IP addresses since Reflection DDoS Attacks often come from legitimate public servers. Accurate identification helps avoid blocking legitimate traffic.
- Firewall and Perimeter Device Configuration.
- Enable firewall logging for both accepted and denied traffic to trace the origin of the DDoS attack.
- To thwart SYN Flood attacks, set strict “TCP keepalive” and “maximum connection” parameters on all perimeter devices, such as firewalls and proxy servers.
- Configure firewalls to block traffic from reserved IP addresses, loopback addresses, private IP ranges, unassigned DHCP clients, and multicast addresses as specified in RFC 5735. Ensure these configurations are also applied at the ISP level.
- Port and Packet Size Filtering. To mitigate attacks, request that your upstream network service provider implement port and packet size filtering.
- Traffic Pattern Baselines. Regularly establish and validate baseline traffic patterns for your public-facing websites to detect anomalies.
- Vendor Patches and System Updates. Apply all vendor patches after appropriate testing to ensure your systems are up to date.
- Server Process Tuning. Adjust public-facing server processes to allow minimum connections for effective business operations.
- Traffic Anomalies Detection. Set up firewalls and intrusion detection/prevention systems to alert you of traffic anomalies.
By implementing these streamlined recommendations, organizations can enhance their defense against DDoS attacks, ensuring better protection and faster recovery.