The Hidden Risk of DDoS in Healthcare


Ted McKendall

Availability of data has always been a part of overall security best practices.  In healthcare, this is established in the HIPAA Security Rule which mandates that covered entities “Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.”  (45 CFR 164.306)


For the most part, the focus in healthcare has been on the first two elements of this triad.  This makes sense, since healthcare is one of the most frequently hacked industries.  Since 2010, Health/Medical has been the #1 or #2 most-breached sector tracked by the Identity Theft Resource Center.  The HHS “wall of shame” bears this out, listing 93 breaches through November of this year due to hacking/IT incidents, a 72% increase over the same period in 2015.  Healthcare records are valuable, and the disclosure or modification of these records to unauthorized persons can have grave consequences.  So it is reasonable to invest in protecting the confidentiality and integrity of these records.  But what about availability of data?


Yes, availability is addressed, but in healthcare it has generally been considered from the perspective of redundancy and uptime, rather than a targeted attack.  Availability is defined as “the property that data or information is accessible and useable upon demand by an authorized person.” (45 CFR 164.304)  A distributed denial of service (DDoS) attack is by definition a direct attack on availability, since the information or service attacked is not accessible.


There are two main risks a DDoS attack can have on a healthcare organization.  The first is the obvious one: the unavailability of critical systems.  An increasing amount of healthcare information and systems are available online, with online access often being the primary or exclusive method for access.  For patients, online access is often the main method for accessing their records, viewing test results, communicating with doctors, etc.  And providers rely on online access to route prescriptions, manage a practice, access electronic health records stored offsite, etc. Healthcare has not been one of the top sectors hit with DDoS attacks, but they do happen and can be very disruptive.  Perhaps one of the most well-known is that perpetrated against Boston Children’s Hospital in 2014, which impeded operations and caused them to lose close to $600,000.


But there is another risk.  A recent survey of 1000 information security professionals worldwide identified that in a majority of cases, DDoS attacks resulted in additional compromise such as viruses or other malware.  The same report found that 21% resulted in customer data theft.  This is the hidden risk of DDoS to healthcare: that of a sophisticated attacker using DDoS as a smokescreen for a more targeted attack to steal or modify PHI.  Furthermore because DDoS attacks are not as common in healthcare today, many organizations may not be as experienced or prepared as they should be.


How should healthcare organizations better prepare?  By considering availability as part of an overall security strategy.  With DDoS this means not looking for a simple point-solution to protect against DDoS, but by looking for a comprehensive web security solution that includes DDoS mitigation as well as full web application security from OWASP top-ten, zero-days, and targeted application attacks.  Such solutions are more strategic, and ensure that even under the stress of a DDoS attack there are safeguards in place to prevent against stealthy application attacks that try to fly beneath the radar and access PHI.


To learn more about the risks of DDoS attacks on the Healthcare industry watch our on demand webinar.