- Web application cyberattacks in the healthcare industry increased 51% in December, as COVID-19 vaccine distribution began, according to a report by Imperva Research Labs released Tuesday.
- Healthcare organizations, on average, were hit by nearly 500 web application attacks every month in 2020, a 10% year-over-year increase, according to Imperva.
- In December, cross-site scripting (XSS) attacks spiked 43%, accounting for the majority of overall web application attacks. SQL injections (SQLi) attacks were the second-largest in volume, increasing 44%, according to Imperva. Protocol manipulation attacks increased 76% and represented the third-largest volume.
Organizations use local applications as web applications through browsers, and every addition of a new application increases the number of targets for hackers. Common code is recycled, which makes preventing injection attacks challenging. XSS attacks, for example, offer boundless exploitability.
The spike in web application attacks directly correlates with how "many of the COVID-19 mitigation efforts are powered by new web applications and services," said Terry Ray, SVP and fellow at Imperva, though the company can't exactly pinpoint why the rise in attacks coincide with vaccine distribution.
"It would not be unreasonable to believe that attackers have found their way into vulnerabilities through connection points. We may not understand the full impact of these attacks for some time, unfortunately," Ray said.
Data breaches rooted in web application flaws are often traced back to issues with:
- Cross-site scripting
- Broken access control
- Resetting passwords due to failing to invalidate a session
- Server security misconfiguration
- Bypassing authentication due to broken authentication or session management
Each flaw provides attackers with a variety of execution strategies.
High-profile data breaches, including Equifax and Capital One, were linked to web application issues, specifically misconfigured web application firewalls. In 2018, Equifax's former SVP and CIO for corporate global platforms, said the firm's "aggressive growth strategy" piled on technological complexity. Equifax was acquiring other companies while building IT in house. It was a classic scenario of security falling behind fast-paced innovation.
"While many leaders worry that taking time to secure data might slow down their innovation projects, that mindset is indefensible," Ray said. "The answer to a growing number of cyberattacks isn't to throw more point solutions at the issue."
Before cloud-based systems became standard, organizations prioritized perimeter defense over data security. The cloud overhauled perimeter security, and a web application misconfiguration is seldom ever the cloud provider's responsibility. Exposed cloud databases, including Docker and Redis, are an increasing normality, Imperva found in earlier research. This year, healthcare provides rushed to adopt more cloud-based solutions to keep pace with pandemic-related demands.
"In a race to deploy new services, technology is added outside of the purview of the information security team. That means, there are more vulnerabilities to miss than ever before," Ray said. Security is responsible for knowing "where their data is at all times across all environments, how it is used, and who has access to it in order to apply the appropriate controls."
Cyberattacks on the healthcare industry have risen 45% since November, while other attacks against other industries have risen at half that rate, according to research from Check Point.
In 2019, healthcare providers became a primary target of ransomware attacks, a trend which continued into 2020 with a CISA alert for the Ryuk ransomware strain. However, "it's only the vulnerable application frontend to all healthcare data that experiences the variety and volume of daily [web application] attacks," according to Imperva.