As healthcare’s digital transformation continues, security remains a top priority — especially as distributed denial-of-service (DDoS) attacks target the click-to-call features on websites.
Click-to-call defines the services that enable patients to immediately call a hospital or clinic directly from a button on their website, either using a traditional phone service or Voice over Internet Protocol (VoIP) technology. This is different from click-to-callback features, which are used for less pressing medical needs, and is an important differentiation when securing hospital communications from DDoS attacks.
Because direct click-to-call scenarios use more resources, such as audio streams and interactive voice response (IVR) systems, these types of connections are much easier to effect using an application-layer DDoS attack.
When a DDoS attack affects a healthcare system, click-to-call features are often taken fully offline. If this occurs during a health emergency, the implications can mean life or death.
However, click-to-call features also offer enhanced and more personalized engagement in a cost-effective manner, so simply removing them could result in delayed care or service abandonment as well as raise the cost of future care. So what’s the best move?
Neustar’s 2017 Worldwide DDoS Attacks and Cyber Insights Research Report found that while 99% of the organizations it surveyed had some sort of DDoS protection in place, the vast majority of them (90%) were planning to invest more than in the previous year, and 36% thought they should be investing even more than that.
The same way that keeping protected health information (PHI) secure continues to be of the utmost importance, further steps must be taken to protect healthcare organizations from DDoS attacks.
Gated access through proper authentication
One of the primary ways healthcare organizations can prevent a DDoS attack is through proper authentication. Proper authentication reduces the attack surface by providing a gate of access to those systems and rules out certain flavors of anonymous attacks.
Anonymous DDoS attacks use an open access or resource and distribute/coordinate mass usage of the access, and are challenging to thwart as it is difficult to differentiate an attack from actual usage.
Proper authentication provides a simple differentiation. Credential loss is a possible attack vector even with authentication; however, coordinating DDoS attacks with authentication credentials is much more difficult due to the distribution of credentials. For instance, if an attacker has compromised a single access point and distributes the single authentication to all endpoints, a properly protected account could easily thwart an attack with access rate-limiting.
Securing Patient Portals
Implementing secure patient portals is another way to prevent DDoS attacks on medical call centers.
Patient portals require strong authentication. If proper authentication is required before using resources such as call centers and call agents, then the ability to launch a large-scale attack would require numerous credentials. In circumstances where multi-factor authentication is required, the complexity of a successful DDoS attack only increases — thereby making it more difficult to pull off.
For example, if a username/password entry into a patient portal required a text or email verification as well — or even a prompt on an installed smartphone application — then the loss of even a large set of credentials could not be used in an attack without also compromising some other form(s) of communication. Since patient portals also contain mass amounts of private data, securing that information to the highest degree in order to safeguard it properly is key and can also help prevent a large-scale attack on a hospital’s click-to-call functionality.
What the threat of DDoS attacks means to the global security community
Today it’s obviously critical that global security managers remain aware of the daunting DDoS threat. When (not “if”) an attack occurs, critical resources are consumed — sometimes even resources that are unrelated.
For example, a DDoS attack against a website might consume networking resources, bringing down a patient portal, and an attack against a patient portal may consume database resources and prevent normal internal operations.
DDoS attacks on weak targets are relatively inexpensive for attackers — existing botnets with simple traffic flooding exist and await the next purchase — and simple networking attacks can be thwarted with up-to-date networking equipment front-ending services.
However, application-aware and custom attacks are much more expensive to create, and can be made prohibitively expensive by taking simple steps like requiring authentication before allowing access to resource offerings.
Additionally, keeping software up-to-date is critical as software flaws are discovered, and quickly updating components is effective at blocking attacks before they can be crafted and deployed. Regularly updating systems and keeping them free of malware not only reduces available botnet size, amplification points and reflection points, but may also prevent a hop-off point for more sophisticated attacks.
As more tech companies enter the healthcare field to enable its digitization, and information security continues to be top of mind in every field, it’s important for those in the security industry — some of whom may directly dabble in healthcare — as well as the healthcare organizations themselves to focus on increasing their security measures and to know what they should be doing to prevent this type of communications attack.