As DDoS Attacks Hammer Healthcare, Here’s what the Doctor Ordered
Recent reports have detailed the KillNet hacking group’s DDoS attacks against US hospitals creating a flurry of activity in the sector to improve security and security guidelines. The U.S. Department of Health and Human Services (HHS) even released an updated recommendation for institutions to protect themselves. The personal data involved in healthcare services is highly sensitive, and service continuity can be critically important.
We are seeing an increase in DDoS attacks, and they are also becoming more sophisticated. Here’s why:
• Low-cost barrier to entry: Today it's very inexpensive (less than $100) to conduct DDoS attacks, and their distributed nature makes them a very compelling tool for adversaries. Yet the cost to the targeted organizations can be over $100K/hour and higher.
• Greater chance of disruption: The large-scale volumetric DDoS attacks are on the rise, well beyond what typical organizations can handle.
• Fast-growing attack surface: Technology has enabled businesses to innovate quickly. Yet often software applications are developed and introduced without security in mind and adversaries will leverage software flaws as an entrypoint to an organization.
• COVID has accelerated Digital Transformation efforts: The lockdown and impact of COVID have greatly accelerated digital transformation across all industries, but especially in healthcare. Many more people and devices are on the internet than ever before, and this accelerated shift to remote work and telehealth practices significantly amplified the growth of the attack surface organizations need to manage.
While organizations' susceptibility to DDoS attacks can differ significantly, there are some fundamental steps that healthcare organizations – and other enterprises – should take today to mitigate risk. Let’s take a look at the key elements of a security solution that will protect any organization - healthcare or otherwise - from this kind of highly coordinated and advanced DDoS attack.
Understanding where the attacks occur: Web applications and APIs
Web applications are important for more than the healthcare industry - they are critical for keeping any business functioning online. This can include patient portals and electronic health record systems, as well as the APIs that these applications expose to communicate with other systems. This covers most of the systems that allow patients and healthcare professionals to submit, retrieve, or transfer data to/from a database over the internet, or perform thousands of other critical tasks. Every piece of the system that functions in this way also creates an attack surface for a web application attack that targets an organization’s infrastructure, and the KillNet DDoS is only one example out of many.
What you should implement
Here are core components to implement to safeguard your organization, but below we’ll talk about something just as important - how to think about implementing them.
Implement a multi-CDN strategy: In its January 30th, 2023 analyst note, the HHS recommended that healthcare organizations should choose a multi-CDN (Content Delivery Network) solution. A CDN is usually used to deliver content efficiently from an organization to an end user, but a good one also serves as a “bouncer” at the door to prevent DDoS attacks from being successful and ever reaching the servers and infrastructure of your organization.
Invest in a next-gen WAF: The WAF (Web Application Firewall) market has evolved to protect more than just web applications. Next-gen WAFs have expanded capabilities including WAF, DDoS protection, bot management and API protection.
Gain visibility into the next attack: Organizations need instant and useful visibility into attacks against their networks. If you’re not properly equipped, you may not even know when an attack happened or if you have been compromised. Visibility also helps organizations focus on where they want to spend the money. If you have one site that is trafficked by 10 people and another one is trafficked by a thousand people, which one would you want to work to protect first? What if one site was mostly marketing materials and the other dealt with sensitive data and patient health records and communications?
Enlist managed security services: Many organizations lack in-house web application security expertise to sufficiently manage risk. To close any gaps in coverage and ensure organizations are 24/7 protected against DDoS and other application-based attacks, consider hiring a managed security service (MSS).
Knowing what to do is half the battle, but evaluating the best way to do it, and selecting trusted partners is equally important.
How to evaluate the best implementations
The Edge Networking and Security space is crowded with lots of offerings, and they’re not all created equal. It’s important that the solutions and services you select:
1. Work as described to protect the organization
2. Are easy to implement and fast to deploy
3. Significantly reduce headaches for your internal teams rather than creating new ones
4. Can reliably protect you against the evolving nature of online attacks - not just the problem you’re experiencing today
Solutions that work as described to protect the organization
Make sure your selection has a proven track record of being effective, and that it has maintained that reputation recently as well. The security landscape changes rapidly, and providers who were trusted a year ago need to continue to evolve faster than the attackers. Fastly was just named Gartner Peer Insights™ Customers’ Choice for Web Application and API Protection for the fifth consecutive year - the only solution to receive that honor for five years in a row.
Ease of implementation and deployment
A solution can only deliver value once it is implemented, and for some solutions that can take weeks or months, and require a huge effort of configuration and tuning to get them to function well. Organizations need simple, effective solutions that are a snap to deploy and require little maintenance or finetuning. For example, the Fastly Next-Gen WAF (powered by Signal Sciences) can typically be deployed in less than one hour while similar solutions could take weeks or days to get up and running. The Next-Gen WAF (NGWAF) can be deployed anywhere – on-prem, on the edge, in the cloud, multi-cloud, for containers and hybrid solutions. It also provides unified management of these deployments so security teams don’t have to manage each deployment separately through individual dashboards and scattered reporting. Fastly know they can trust its performance, and it frees them to prioritize their time and resources to focus on their core business.
Reduce headaches for your internal teams (without creating new ones)
In addition to the potential implementation and tuning burdens for your security team mentioned above, you also need to be wary of security solutions that don’t integrate well into the existing tools your security and developer operations teams use. Forcing these teams to learn new tools can create problems. Even worse, forcing processes where they are required to collect, combine, and manipulate reporting data from multiple sources in order to analyze what’s happening and plan a response to an attack can lead to critical failures and harmful lag times.
Fastly integrates directly into the tools that your developers already use and gives your security engineers new capabilities without forcing them to learn any new tools. Our native integrations include Datadog, Slack, JIRA, Pagerduty, Splunk, and Elastic. You can read more about them here. Fastly’s API goes even further to let your developers integrate data and logging from the NGWAF directly into their existing tools and workflows quickly, and sometimes automatically.
Reliable protection against constantly evolving online attacks
DDoS attacks and other advanced attacks like botnets grow in complexity every year. It’s important to invest in solutions that you can rely on to stay ahead of the attackers with a strong track record of success.
Fastly’s CDN platform, with its global distributed pop network, is architected to actively mitigate massive DDoS attacks and keep our customers’ services up and running when those attacks are underway, allowing this part of the danger to be completely handled without the targeted organization needing to lift a finger. The network regularly deals with massive traffic surges, and recently set a new record for its traffic throughput on Superbowl Sunday at a mind-boggling scale. This ability to scale is helpful to absorbing big DDoS attacks as well. In addition, the Fastly Next-Gen WAF solution is built on years and years of experience and R&D protecting against an ever-changing threat landscape, including API vulnerabilities. In addition, Fastly’s edge observability tools can play a critical role in providing you with needed visibility to make the right risk mitigation decisions while also helping you prioritize security investments, especially if you have a finite budget.
Lastly, Fastly recently rolled out a new Managed Security Service for its Next-Gen WAF customers. Fastly has quickly become a trusted security advisor to help many of your favorite healthcare, financial, entertainment, and technology providers adopt a modern security posture without gouging.
Preparing for the future of DDoS attacks
Like other cybersecurity attacks, DDoS attacks will continue to evolve as adversaries build new strategies, adapt their tactics, and discover new exploits to gain access to their targets. Security teams that are serious about preparing for the future will adopt two important security trends:
1. Using risk to guide what they prioritize, and how they bring the rest of the organization along, and second defenders need to adopt a risk-based approach.
2. Understanding how to scale the capabilities of their team within the organization (with hiring, retention, tools, and more) to support the velocity of the company and handle the addition of new responsibilities within their team as the organization grows.
Companies need to invest in services and solutions that will work against not only the attacks that are known today, but also the unknown attacks we will definitely see in the future.
Additional resources to help you stay up-to-date:
• Watch this panel discussion about web application and API protection including:
• Current trends for organizational structuring
• Securely approaches to giving more access to development environments
• Suggestions on how and what to prioritize
• Guidance on how to evaluate and choose security products
• Get updates from the experts on the Fastly Security Research Team
Let Fastly help you navigate these challenges by getting in touch at firstname.lastname@example.org