OCR Warns Covered Entities of Risk of DDoS Attacks

There has been a surge in Distributed Denial of Service (DDoS) and Denial of Service (DOS) attacks over the past few weeks, including targeting HIPAA-covered entities. The attacks involve flooding systems with information and requests to cause those systems to crash. The attacks have resulted in large sections of the Internet being taken offline, email systems have crashed, and other computer equipment taken out of action.

DDoS attacks on healthcare organizations could prevent patients from accessing web services such as patient portals during an attack, but they can also prevent healthcare employees from accessing systems that are critical for healthcare operations. EHRs, payroll systems, or even software-based medical equipment such as drug infusion pumps and MRIs can potentially be taken out of action.

Not only do DDoS attacks prevent these systems from being accessed, they can also result in substantial hardware damage and the cost of repair can be considerable.

The scale of the recent attacks has been astonishing. Whereas last year, DDoS attacks of the order of 300 Gbps something of a rarity, this year we have seen attacks performed well in excess of 600 Gbps. One French hosting company registered a DDoS attack of 1Tbps.

The attackers behind the recent DDoS attacks have taken advantage of poor security controls on IoT (Internet of Things) devices such as the failure to change default passwords. The devices have been used to create huge botnets – devices infected with malicious software that are used to flood systems with traffic.

The recent attacks have primarily used surveillance cameras and DVRs; however, any IoT device could be compromised and used for the attacks.

Hospitals now have many IoT devices connected to their networks, which could all potentially be compromised and added to botnets and used for attacks on other organizations, or for attacks on other systems used by hospitals.

The attacks are likely to continue. Further, as more IoT devices with weak security controls are installed, the scale of the attacks is likely to increase. Healthcare organizations have been attacked in the past and further attacks are likely.

This week, the Department of Health and Human Services’ Office for Civil Rights has contacted healthcare organizations to raise awareness of the threat and urged to take action to protect their systems from attack and to take steps to prevent their IoT devices from being added to botnets.

There are a number of actions that healthcare organizations can take to protect their devices – and their networks – from DoS and DDoS attacks.

Organizations should perform scans of their networks for vulnerable IoT devices, continuously scan for compromised devices, apply security patches promptly to address known vulnerabilities and change all default passwords on every IoT device. Default passwords are easily guessed or can be found online.

OCR recommends following the advice of US-CERT:


Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.