Hacking, phishing and ransomware were already familiar to healthcare. DDoS attacks on a hospital are also now a reality. A still unknown number of Dutch hospitals in 2023 saw their own sites go down for a short or long time after being overloaded with digital data. How vulnerable is a hospital or other healthcare organization and what can they do to fend off DDoS attacks?
Distributed Denial of Service attacks are about as old as the Internet itself. So why hospitals have had to deal with the phenomenon just now? "With the war in Ukraine, the digital threat landscape has changed," observes Jort Kollerie, strategic advisor at Orange Cyberdefense. "There are groups trying to put pressure on Western society with DDoS attacks."
DDoS: digital bombardment
In essence, a DDoS attack is a digital bombardment. Using mostly hijacked machines, malicious actors bombard a server or a group of servers with large amounts of data. Result: systems become slow or fail, websites and online services go down.
Larger attack surface
In this regard, the healthcare sector is a grateful prey for several reasons. "Healthcare institutions have been digitizing more and more," clarifies Erno Doorenspleet, vice president of security strategy at KPN Security. "So there are also more and more Internet facing systems. This increases the attack surface."
Semi-public character
Moreover, the potential for social unrest is relatively high. Healthcare providers are of eminent social importance, and because of their semi-public nature, the shutters to the outside are basically open. Does that make the sector extra vulnerable to DDoS attacks? "Not so much extra vulnerable, but extra attractive," thinks Joep Kremer, managing security consultant at ilionx. "If patients can no longer make appointments, that affects people directly. Especially among people who don't know their way around the digital world very well anyway, it causes anxiety. That way you can cause anxiety without getting to the primary processes."
No digital bell ringing
Typically, DDoS attacks on a hospital require relatively little knowledge and capital. For a few nickels and dimes, virtually anyone on the Internet can "buy a DDoS," Doorenspleet said. For this very reason, it is regularly teenagers who carry out attacks out of wantonness. For example, to disrupt school during exams. But -emphasize the three experts- it is a misunderstanding to see DDoS as just a form of digital calling.
DDos is weapon
"DDoS is really a weapon, because you can take down an organization with it," Kollerie said. Moreover, the goal often extends beyond pawing a single Internet user. Especially with large, organized attacks, it's all about inciting broader feelings of unrest and insecurity.
The involvement of hacker group Killnet in the recent DDoS attack on hospitals underscores this. Killnet is a nonstate actor close to the Russian secret services. Ever since the beginning of Russia's invasion of Ukraine, Killnet has been trying to disrupt websites of public and semi-public institutions in the West. The late January attack affected not only Dutch, but also American and Danish hospitals.
Champions League
That hospitals are being attacked as a group is a novelty for Dutch healthcare. "The sector has been pushed a few times during corona," Doorenspleet recalls. "But the form in which it has happened now is spicier in terms of intelligence. We're not dealing with an angry scholar, but with something tending toward a state actor. It's Champions League versus local soccer."
Care provision not at risk
In no case, as far as is known now, has the provision of care been compromised. But that was not what the attackers were after, Kollerie believes. "The underlying intent is to hit the healthcare system so that people might start to question our support for Ukraine. Patients expect to be able to arrange regular things, such as scheduling or changing appointments, through the portal. If a hospital site is then not accessible, it still creates a kind of chaos."
Dangerous rumors
The disruptive effect of a DDoS attack can also cause upheaval inside an organization. "A few days after the DDoS attack on the University Hospital in Maastricht, internal systems were unavailable and operations could not take place," explained Doorenspleet. "Although there was no tangible evidence, you already heard noises about a possible relationship between the DDoS attack and the unavailability of IT systems at the hospital. Those are dangerous rumors."
Smoke Curtain
Doorenspleet points out the potentially most damaging side effect of a DDoS attack on a hospital: burning the front door to slip in through the back door. Doorenspleet: "DDoS is used a lot as a smoke screen. If I try to come in as an intruder, it shows up in the log files. But now if I flood the dashboards with information, I create a diversion where I might not stand out so much. The institution is so busy with DDoS that it can't pay attention to other things."
Oil Stain
Once inside, DDoS attackers or sympathetic hackers can exploit the digital noise they create to lead end users astray. "Think of messages like 'there has been an attack, you need to change your password now' or 'you need to change your patient record login,'" Kollerie outlines possible phishing actions. "That way, the initial problem can spread like an oil slick."
Minimizing damage
The good news is that healthcare organizations can take steps to minimize any damage. Acting quickly is a prerequisite. "To make sure no one got in through the back door or through a window that was ajar, you start doing additional checks," Doorenspleet says. "It's monk's work, but basically after a DDoS attack you always have to go through all the files. That means you have to have the log information in order. That also helps in quickly detecting the start of a DDoS."
Segmentation
Another basic security measure is network segmentation. "Everything used to run on premise," Kollerie says. "But you don't want services within the hospital to be affected. By segmenting and distributing, you separate the Web site and portal from the other processes."
Digital health check
"What you have to look at carefully is: what should be Internet facing," Doorenspleet advises. "Think about what should be publicly available and what are the components of critical business operations. Given the pace of digitization, you should also periodically look at what is changing in the processes and architecture and what risks that poses. Think of it as a digital health check. Instead of blood pressure and sugar levels, as an organization you look at whether all digital connections and systems are in order."
Return on investment
Capturing a DDoS attack is also a possibility. But organizations must take a keen look at the return on investment in doing so, Kremer believes. "You have to ask yourself how many resources you want to deploy to ward off all attacks. Splitting internal and external network traffic is still a relatively inexpensive measure. If a hospital only provides care in the Netherlands, you can allow only Dutch traffic in the event of an attack. By doing so, you will probably catch 90 percent of the attack. Some companies will want to repel an attack completely. But you have to ask yourself if that is necessary for healthcare."
"Banks or Web stores are mega-dependent on their Web sites for revenue," Doorenspleet knows. "They look at DDoS prevention differently than a company that doesn't make money directly through the Internet. But whether you're a bank or a healthcare institution, if you're going to be bothered by a state actor, you better be prepared, because you're going to be bothered."
Cat and mouse
"It remains a cat-and-mouse game," Kollerie argues. "The attacker comes up with something and the defender has to respond. If the defender manages to fend that off, the attacker naturally goes back to looking for something new."
With the creation of healthcare cybersecurity expertise center Z-Cert and its affiliated Care Detection Network, Dutch healthcare has slowly become a staunch defender. "The fact that Z-Cert was also DDoSt at the end of January indicates that it is a serious player," Doorenspleet said. "We should be quite proud of that."
DDoS attack on hospital: three tips
1. Get the log information in order
To quickly check all files after a to, you need to have the log information in order. This also helps to quickly detect the start of a DDoS.
2. Segment the network
By segmenting and distributing, you separate the website and portal from the other processes. And that makes you less vulnerable.
3. Do a digital health check
Think about what should be publicly available and what are the components of critical business operations. You screen those out more.
For practical measures, Z-CERT refers to the site of the National Cyber Security Center (NCSC). More information about online service continuity and technical measures in this area here.Cybersecurity is one of the core themes during health tech event Zorg & ict, held April 9-11 at Jaarbeurs in Utrecht.
