HHS Shares Best Practices for Preventing and Responding to Healthcare DDoS Attacks
The HHS Health Sector Cybersecurity Coordination Center has shared a guide to Distributed Denial of Service (DDoS) attacks that includes best practices for preventing and limiting the severity of DDoS attacks and recommendations for the attack response.
A DDoS attack is a type of denial of service (DoS) attack that attempts to overwhelm systems by sending high volumes of requests to render that system unavailable to legitimate users. In contrast to a standard denial of service (DoS) attack where the traffic usually comes from a single system, in a DDoS attack the traffic originates from multiple sources and involves much higher numbers of requests. DDoS attacks are typically conducted using a botnet, which is a network of internet-enabled devices that have been infected with malware or are otherwise under the control of the botnet operator. Those devices can be personal computers, servers, mobile devices, and internet-of-things (IoT) devices, with the latter allowing huge botnets to be created capable of conducting massive DDoS attacks.
While attacks can render systems unavailable, DDoS attacks are relatively short-lived. Burst attacks last anywhere from a few seconds to a few minutes and even these short-lived attacks can be incredibly damaging. Long-term attacks typically last from a few hours to a few days. DDoS attacks are becoming easier and cheaper to conduct and more sophisticated due to the large number of IoT devices now in use. A DDoS attack can be launched at any time and can cause considerable disruption to a website’s operation or resources. For companies that conduct their business online, a DDoS can cause service interruptions that result in huge financial losses. For healthcare organizations, the attacks can have an impact on the organization’s ability to provide care, such as affecting their ability to access electronic health records, medical equipment, and websites used to coordinate critical tasks.
DDoS attacks are conducted by a range of threat actors including financially motivated cybercriminal groups, politically motivated hacktivists and nation-state groups, and other malicious actors. The reasons for the attacks are also diverse and may be conducted as part of a broader attack, including by ransomware gangs to pressure victims into paying the ransom or as a smokescreen to draw the attention of the IT department away from day-to-day tasks to increase the chances of breaching networks undetected. Hackers may conduct attacks to gain influence, disrupt operations, and cause damage to a brand and nation-state hackers may conduct attacks to cause confusion and disrupt services to help them achieve their political aims. Last year saw record-breaking attacks conducted, including attacks on critical infrastructure such as hospitals. Little technical skill is required to conduct attacks as botnet operators offer DDoS-as-a-service. Some hacktivist groups have even crowdsourced funds to allow DDoS attacks to be conducted against specific targets.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The HC3 guide explains the different categories of DDoS attacks, commonly used attack tools and recommendations for preventing and reducing the severity of attacks. The best defense is to build a robust and scalable infrastructure that can cope with unexpectedly high traffic volumes and to consider using a DDoS mitigation service that can absorb traffic to prevent systems from becoming overwhelmed. It is important to include DDoS attacks in incident response planning and to conduct tabletop exercises to ensure that the plan is effective.
