HHS releases DDoS attack response plan
HHS’s Health Sector Cybersecurity Coordination Center (HC3) has posted an analysis note detailing how healthcare systems should respond to distributed denial-of-service (DDoS) attacks. The document, released May 30, provides updated best practices for how organizations can thwart these threats and get their networks back up and running.
DDoS attacks are common across all industries and can impact entities of any size. They occur when cybercriminals send artificial traffic to a network’s systems, such as a hospital website, to overload and halt online operations.
“With the number of attacks increasing every year, they can come at any time, impact any part of a website’s operations or resources, and lead to massive amounts of service interruptions and huge financial losses. In the health and public health sector, they have the potential to deny healthcare organizations and providers access to vital resources that can have detrimental impact on the ability to provide care,” HC3 wrote.
HC3 added these attacks are often the result of “massive botnets” built from a network of smart devices. And while DDoS attacks can stem from any malicious actor, they’ve become an increasingly common tactic for large cybercrime syndicates and politically motivated foreign entities seeking to destabilize a business.
The more Internet-ready devices connected to a system’s network, the more vulnerable they are to a DDoS threat, making healthcare a prime target.
“Moreover, DDoS attacks are getting more sophisticated and complex while getting easier and cheaper to perpetrate as cyber criminals take advantage of the sheer number of insecure internet-connected devices,” HC3 added.
Halting the botnet invaders
HC3 said security hygiene is the single best way to find potential vulnerabilities, and the authors identify vectors for attack before one happens. Specifically, they recommend regular security audits, real-time monitoring of traffic in and out of the network, and the creation of a security response plan that includes tasks for trained staff.
The key to minimizing damage from a DDoS attack is early detection. But, since a botnet invasion can start slow and ramp up very quickly, traffic volume isn’t always the best metric for rapid detection.
“Rate-based detection is usually discussed first when it comes to DDoS attacks, but most effective DDoS attacks are not blocked using rate-based detection,” HC3 warned.
Instead, HC3 recommends healthcare institutions have a system in place to filter traffic, one that can automatically drop unwanted access to the network before it has time to build up to a larger threat. When filtering, unwanted traffic should be diverted to part of the network that isn’t connected to services, mainly a “sinkhole” or “scrubbing center,” the agency said.
This diversion gives healthcare organizations a chance to track the DDoS attack and find out where it came from. This information should be used to bolster security and eliminate avenues for future intrusions.
Regardless of attack origins, HC3 recommends organizations not respond with a counterattack.
“While it may be tempting to try and kill off the botnet, it can create logistical problems and may result in legal ramifications. Generally, it is not recommended,” HC3 noted.
Lastly, they recommend equipping every crucial system with a backup, specifically an alternate delivery network that allows relevant content, such as a patient portal, to stay active even if the attack is disrupting other primary services.
The full HC3 document, including a list of resources to help develop an effective strategy against DDoS cyberattacks, can be found here.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.