HHS Offers Tips on Mitigating DDoS RisksLatest Cyber Alert Spells Out Critical Steps to Take
Federal regulators have issued an alert urging healthcare sector organizations to take specific steps to prevent falling victim to distributed denial-of-service attacks.
The Department of Health and Human Services' Office for Civil Rights, in its latest monthly cyber awareness email newsletter, says organizations should, among other steps, continuously scan for compromised networked devices, monitor suspicious activity on specific ports and consider network segmentation.
To illustrate the risk DDoS attacks pose, the alert, without naming names, makes reference to an arrest tied to the 2014 DDoS attack on Children's Hospital of Boston and also the October internet of things-related botnet attack on internet service provider Dyn, which reportedly affected some electronic health record vendors' websites.
The OCR alert is a timely and important warning for healthcare sector organizations, says privacy and security expert Kate Borten, president of the consultancy The Marblehead Group.
"DDoS attacks are likely to continue and grow," she says. "And as more and more healthcare organizations are internet-dependent, we will feel the impact."
Dan Berger, CEO of security consulting firm Redspin, says the healthcare sector needs to be prepared to deal with DDoS attacks, even when it's not the primary target of such assaults.
"As the internet of things continues to grow exponentially, catastrophic DDoS attacks become possible," he says. "I don't think the healthcare sector will be a primary target, but that doesn't mean it will be immune to the impact of geographic-based attacks."
DDoS attacks could also become more sinister, says Keith Fricke, partner and principal consultant at tw-Security. "DDoS attacks resemble ransomware in the sense that both prevent access to information," he says. "Criminals could sustain a DDoS and demand a ransom to stop" in order to restore clinicians access to critical data, he notes.
Signs to Watch For
OCR notes that while not all disruptions to service are the result of a DDoS attack, the U.S.-Computer Emergency Readiness Team warns that the following network or computer symptoms could indicate a DDoS attack:
- Unusually slow network performance, such as when opening files or accessing websites;
- Unavailability of a particular website;
- Inability to access any website;
- Dramatic increase in the amount of spam received in a technology account.
OCR's List of Action Items
OCR in its alert provides a list of measures that covered entities and business associates should take to help avoid falling victim to DDoS attacks:
- Continuously monitor and scan for vulnerable and comprised IoT devices on their networks and follow proper remediation actions;
- Create and implement password management policies and procedures for devices and their users. That includes ensuring all default passwords are changed to strong passwords;
- Install and maintain anti-malware software and security patches;
- Install a firewall and configure it to restrict traffic coming into and leaving an organization's network and IT systems;
- Segment networks where appropriate and apply appropriate security controls to control access among network segments;
- Disable universal plug and play on routers unless absolutely necessary;
- Look for suspicious traffic on port 48101, because infected devices often attempt to spread malware by using the port to send results to the threat actor;
- Monitor IP port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal protocol;
- Promote security awareness, including the risks posed by medical devices and HVAC systems with network capabilities.
Fricke adds another tip to the list. "Get in the habit of downloading security patches and keep them on file even if you aren't able to apply them right away," he urges.
"In January 2003, the SQL Slammer worm spread in an unprecedented manner, infecting Microsoft SQL Servers. Six months prior, Microsoft had released a patch to fix a vulnerability that the SQL Slammer worm was exploiting," he explains. "When the event occurred, so many organizations were trying to download the patch that Microsoft's web site actually experienced an unintentional DDoS, preventing people from getting the patch.
"If you can't apply patches right away, at least having them on hand can help if needed in an emergency."
Business Continuity Planning
Experts also advise healthcare organizations to include DDoS attack scenarios in their business continuity and disaster recovery plans.
Borten says organizations need to "be sure to perform annual tabletop exercises to validate and improve the plans. The HIPAA Security Rule calls for contigency planning that anticipates disruptions such as DDoS attacks."
Berger warns, however, that "backup systems may not be the solution as DDoS botnets often attack ranges of IP addresses. As a last resort, while it will always have limitations, fail-over to manual has to be a consideration."
Fricke notes that if DDoS attacks are impacting a hospital's internet connection, "they should be working with their internet service provider to resolve that situation as best as possible. Knowing in advance whom to contact at the ISP helps with the response time of the incident."
But if a DDoS attack is occurring on the hospital's internal network as a result of malware-infected devices or systems generating large amounts of traffic, "it may be necessary to consider isolating the offending devices or perhaps shut them down," Fricke says. "The latter requires understanding what role the device or system plays in delivering patient care to understand the impact of the decision to isolate of remove it from the network."