Healthcare patients demand easy access to medical records and scheduling, and the natural response is to offer more web applications.
Doctors and staff inside healthcare organizations also demand web applications for fast access to medical records, test results, and other critical data.
But web applications come at a risk. If not carefully designed and maintained, they can become targets for cyber attacks.
New research reveals trends in web application attacks in healthcare compared to attacks in other industries. Published by Positive Technologies, the report’s data was collected from web application firewalls during Q2 2017.
Here are the top five types of healthcare web application attacks shown in the report.
Attack #1. SQL Injection – 46.0%
SQL injection (SQLi) attacks occur when someone “injects” SQL statements into data-entry fields, such as a text box in an online form. The goal is to trick the system into revealing or manipulating its data.
SQL is a programming language used to communicate with databases, such as to query or change data and its often used by web applications.
SQLi attacks accounted for nearly half (46.0%) of all healthcare web application attacks reviewed by Positive Technologies in Q2 2017.
However, across all industries, SQLi accounted for a far smaller percentage of web app attacks (24.9%), suggesting they are almost twice as common in the healthcare industry.
Attack #2. Denial of Service – 22.8%
Denial-of-service attacks (DDoS) accounted for slightly more than 1 in 5 web application attacks in healthcare (22.8%).
This is eight-times greater than the cross-industry average (2.8%). Perhaps this is due to the growing reliance of healthcare organizations on web portals?
DDoS attacks attempt to overwhelm resources – such as servers hosting web applications or websites – to slow or crash them, “denying” service to legitimate users.
While it’s tempting to write off the attacks as an inconvenience, they can harm companies via:
- Tarnished reputations and brands
- Loss of customer trust
- Increase customer churn
- Loss of revenue (due to downtime of a critical service)
DDoS attacks are also being used as smokescreens for network attacks, distracting from the attackers’ primary goal, which may be far more damaging.
Attack #3. Cross-Site Scripting – 16.0%
Cross-site scripting (XSS) attacks account for roughly 1 in 6 attacks (16%) against web applications in healthcare.
Averaged across all industries, XSS is the most common type of web application attack, accounting for near+ly 40% of the total.
XSS begins when an attacker injects a malicious script into a vulnerable web application and the script is displayed to other users. The script can be used to redirect users to other websites, steal login credentials, and more.
Attack #4. Path Traversal – 5.7%
About 1 in 20 healthcare attacks observed were cases of path traversal, also known as directory traversal.
This is roughly equal to the prevalence of this attack more broadly across industries (6.6% overall).
Path traversal is when an attacker crafts an HTTP request to navigate to unauthorized parent directories and display the contents of sensitive files.
You can see a simple example of path traversal on Wikipedia.
Attack #5. Local File Inclusion – 4.5%
Though a small percentage of attacks on healthcare web applications use local file inclusion (LFI), they were far more common in healthcare than in general.
LFI attacks are similar to directory traversals. The attacker crafts an HTTP request to access unauthorized files. However, instead of displaying the file’s contents, its code is executed on the system.
You can see a simple example of LFI from the Open Web Application Security Project (OWASP).
Other Web Application Attacks – 5%
The remainder of web application attacks in healthcare are bundled into “the other” category and are 5% of the total.
A few worth mentioning:
- OS Commanding – Also known as command injection, this attack aims to execute commands on the host operating system through a vulnerable web application. One-third (36.4%) of web app attacks on energy and manufacturing companies were of this type.
- Information Leakage – Though rare in healthcare, information leakage accounted for 18% of attacks against government web apps and 4.6% across all industries. These attacks target sensitive information revealed by the system – such error messages and comments in HTML code.
- XML Injection – Similar to SQLi attacks, XML injection manipulates a web application by inserting malicious XML code in place of legitimate form data. About 7% of web application attacks against IT companies were of this type.