Attack on Availability: Hacktivists Drive Healthcare’s Next Big Digital Dilemma

For any healthcare organization today, availability is everything. To patients, hospitals and medical centers are buildings full of nurses and doctors. But behind the scenes, IT and digital medical applications have become just as critical as people. Doctors, patients, medical insurance representatives and other third-party providers communicate with one another through a growing array of platforms, connected medical devices, and legacy systems.

The success of this system depends on applications being available nearly 100% of the time. Without rapid access to electronic health records and digital medical tools connected to health networks, communications can be stalled, diagnoses delayed, and access to patient care disrupted and even denied.

Hacktivist Threats

Difficult to patch and secure, healthcare’s sprawling and complicated digital infrastructure and the sensitive patient data it collects and stores have made it a high value target for cybercriminals. Successful cyber strikes on healthcare systems sow chaos for patients and providers. For malicious actors, however, the end results are much different. The high visibility attacks generate notoriety and proof-of-capability advertisements.

This is particularly true for a growing number of hacktivists who are driven, often by religious and political beliefs, to wage a sophisticated new type of HTTPS flood attack on healthcare’s infrastructure. While HTTPS floods have been around for a while, the frequency and intensity of this new generation of layer 7 (L7) application attacks—also known as Web DDoS attacks—have increased dramatically, and the sophistication introduced by attackers is growing quickly.

Application Layer DDoS

One of the appeals of a DDoS attack is that it has gotten much easier to launch. This is driven by two trends. The first is that novice attackers with minimal skills now have easy access to powerful tools, a democratization that has fueled a dramatic growth in geo-political hacktivism.

One example of these tools is MHDDoS, a freely available DDoS toolkit that allows attackers to evade common DDoS countermeasures.  However, a major part of its popularity relates to a second trend, namely its ability to launch Web DDoS attacks. Using tools such as MHDDoS, attackers can not only launch attacks but test and refine them beforehand until they find the weak points that overload a specific target application.

According to Radware’s H1 2024 Global Threat Analysis Report, in the first half of 2024, Web DDoS attacks surged globally 265% compared to the second half of 2023. These attacks can go from 0 to 30 million requests per second (PRS) in a few seconds and run for hours at a time. Most applications used in healthcare can sustain traffic of around 10,000 RPS so ramping to millions of requests is more than enough to bring SaaS applications, APIs, DNS servers and authentication systems—and consequently patient care—to a standstill.

These requests look identical to legitimate traffic, which makes mitigating L7 attacks inherently difficult. Detecting Web DDoS attacks requires decryption and deep inspection into the L7 traffic headers, which network-based DDoS protection solutions weren’t built to do. Standard on-prem or cloud-based web application firewalls fail to keep up with their scale and randomization. And rate-limiting techniques have a major negative effect on legitimate traffic.

Attack on Availability

Historically, DDoS was a specialized niche separate from bot systems designed to target application logic. Now, both have been integrated in a way designed not simply to conduct denial of service but to erode L7 application availability in a more refined way.

One of the major challenges for healthcare organizations is that their application infrastructure is increasingly outsourced to third-party SaaS providers, which means they don’t have direct control over defense. It is not healthcare’s DDoS and anti-bot defenses that must stand up to an attack, it is someone else’s.

Adding to the challenge, there is currently no real cyber standard remotely close to HIPPA to give the issue a higher priority. US regulations such as HIPAA focus almost exclusively on issues such as data security and privacy. Instead, the importance the issue is given within the sector varies widely across a patchwork of healthcare providers. Healthcare’s often limited budgets and lengthy budgeting processes only further compound the security situation, delaying the speed with which additional protection capabilities can be added should a mid-cycle attack occur.

Digital Disruption

Web DDoS attacks against healthcare might be a way to bog down applications but the real targets are the human beings who depend on them.

The technical jargon shouldn’t obscure the intention; the attackers want to undermine the smooth working of society and see disrupting healthcare as a shortcut—if you like, a denial of access to medical care. Web DDoS attacks can potentially lead to a days or weeks-long outage at a major healthcare provider.

Healthcare Resilience

How should healthcare providers react to this threat? The first priority is to accept that an ‘availability terror attack’ by hacktivists or even nation states using Web DDoS is no longer a hypothetical. This is exactly what occurred when Killnet targeted the North American healthcare sector in 2023.  At a bare minimum, this should spur healthcare organizations to analyze their application and SaaS dependencies, identify where they are exposed, and determine what remediation steps would be needed to protect their infrastructure during a range of cyberattack scenarios.

However, even this layer of resilience will struggle if it is not integrated into a longer-term plan. The digitalization of healthcare is evolving rapidly as hospitals add new applications and capabilities. The attack surface keeps growing. Defending future services needs to be factored into planning before they are designed.

Critically, healthcare needs to become more flexible in the way it budgets for cybersecurity contingencies. Countering Web DDoS attacks isn’t a job for the next budgeting cycle but for the here and now. Failure to act quickly is a false economy that serves only to obscure serious long-term risks.