Feds Warn Healthcare Sector of Web Application Attacks

Healthcare web applications provide access for patients to make appointments and obtain copies of test results and medical records - but they may also put your practice at serious risk of a data breach.

In an advisory issued on Thursday, the Department of Health and Human Services Health Sector Cybersecurity Coordination Center warns that hackers often leverage stolen credentials or exploit a known vulnerability in attacks involving healthcare web applications.

Healthcare web applications at risk include patient and health insurance portals, telehealth services, online pharmacies, electronic health records, patient monitoring with IoT devices, webmail and hospital inventory management.

What should you do to protect your practice (or healthcare clients if you are an MSP)?

Confirm that your web-based applications are tested using the Open Web Application Security Project (OWASP) standard for secure coding. You should also have vulnerability scan and patching programs to look for other vulnerabilities that could be exploited in your network and review the configuration of your firewalls to ensure that appropriate geographic filtering and known malicious sites are being blocked. Threat monitoring using a Security Operations Center (SOC) can help detect anything unusual that could indicate an attack.