- The adoption connected medical devices and the Internet of Things (IoT) by healthcare organizations increases the responsibility for protecting health IT infrastructures against distributed-denial-of-service (DDoS) attacks becomes.
DDoS attacks occur when an outside party overwhelms an organization’s bandwidth and resources with unsolicited traffic, which in turn makes online services unavailable.
For connected medical and IoT devices constantly exchanging data via a network connection, a DDoS attack will completely derail their operation. Cloud-based EHR and email systems are also rendered unusable, preventing clinicians from accessing with critical patient information and putting patients and their protected health information (PHI) at risk.
“An attacker may be able to deter patients or healthcare personnel from accessing critical healthcare assets such as payroll systems, electronic health record databases, and software-based medical equipment (MRI, EKGs, infusion pumps, etc.),” said the Office for Civil Rights (OCR) in a recent cybersecurity newsletter.
“The attacker may hijack or take control of a computer, forcing the computer to send out huge amounts of illegitimate data traffic to particular websites or send spam to particular email addresses,” OCR continued. “The attacker can also control multiple computers with malicious software (also known as botnets) to launch a DoS attack.”
According to Akamai’s quarterly State of the Internet: Security Report published in May 2016, DDoS attacks increased by almost 40 percent over the previous year, making them one of the most serious threats to healthcare data.
Mobile devices such as smartphones and IoT devices broaden the attack surface, making mobile and bring-your-own-device (BYOD) policies more important than ever. DDoS bots can target unprotected devices and use them to commence a DDoS attack.
DDoS attacks are common among hacktivists groups which are politically motivated attackers that conduct cyber-attacks against organizations that are high profile enough to serve as a platform for a cause to gain media attention.
A Institute for Critical Infrastructure Technology (ICIT) report states that while one may assume healthcare organizations are safe from hacktivist attacks because they do what is generally considered “good work”, many healthcare organizations are targeted because of their size and the amount of secure data available to steal.
The ICIT report suggests examining internal and external connections for different IT infrastructure systems to determine which systems are most at risk for DDoS attacks.
“Hospitals and other healthcare providers should note which of their systems have an external connection and which systems depend upon that connection for operation,” the report authors advised. “If protocol requires that external systems, email, or e-prescribing systems need to cease operation in the event of a cyber-attack, then the team needs to disconnect those systems post haste. Secure communications, such as teleconferences, rely on secure exchange of passcodes, especially when users know that the network might already be under attack.”
The report used Boston Children’s Hospital as an example of how internally hosted systems fair against DDoS attacks versus their externally hosted counterparts.
“Boston Children’s Hospital’s EHR remained unmolested because it is hosted internally; meanwhile its e-prescribing system went down the second the external connection went down,” the report found.
Atop its recommendations for organizations to defend against future DDoS attack, the ICIT report suggests deploying monitoring systems before replacing or investing in new systems. Log monitoring, intrusion detection systems, and intrusion prevention systems can detect threats before they become actual data breaches.
The longer a security threat is able to remain undetected and to map the network, the more severe a data breach will be, which makes monitoring the first and arguable most important step of DDoS prevention.
“The adversary needs time to map the network, to determine which system it needs to infect, and to figure out how to move to that system,” the authors explained. “This process is complicated by the necessity that the adversary move slowly and carefully through the compromised network to avoid detection. The impact of a breach is proportional to the amount of time that an adversary can remain undetected in the compromised system.”
Placing monitoring systems in the outer layer of a healthcare network security system is flexible and scalable, and it will still secure a network even if an organization updated and replaces parts of the IT infrastructure.
The report concludes that there is no level of added infrastructure security solutions that can completely secure a network for DDoS or any kind of cybersecurity breach. Monitoring systems determine if proactive or reactive systems needed to be implemented to best secure a network from DDoS attacks.