Client-Side Risks in Healthcare: Reinforcing Existing Application Security Programs

With healthcare client-side attacks on the rise, healthcare data security is paramount. Learn how to mitigate and prevent client-side attacks in healthcare. protect patient data, and enhance healthcare data security.

Healthcare is the organized provision of medical care to individuals or a community. But does this vital sector do enough to secure the vast amount of personal health information (PHI) it holds?

Tempted by this, cybercriminals have been responsible for a surge in cyber risks for healthcare that are jeopardizing patient safety.

Global cyber security breaches compiled by technology research provider Omdia show the sector was hit by more cyberattacks than any other between January and September 2023, suffering 241 attacks – that's over 100 more than government (147) and almost three times more than software, hardware, and IT services (91).

Cybercriminals are exploiting a perfect storm of vulnerable legacy systems that haven’t been upgraded and a demand for healthcare data that’s more digitized, distributed, and mobile.

To gain unauthorized access, steal sensitive information, or install malicious software, cybercriminals have an arsenal of dynamic attacks and vulnerabilities they can exploit.

It’s up to healthcare organizations to mitigate this pervasive threat by adopting a holistic approach to their existing application security programs by adding client-side protection.

Top cyber risks in healthcare

Phishing

Phishing is one of the most common cyber threats across sectors, with 94% of businesses experiencing an attack in 2023 – and healthcare is no exception. This attack vector – which typically involves mass email campaigns designed to trick employees into giving up passwords or clicking on malicious links that infect devices with malware – is used as a platform to compromise PHI. 

In February 2015, Anthem Inc. – an American health insurance provider – announced it had been the victim of a phishing attack and subsequent data breach. It was one of the largest and costliest healthcare data breaches ever reported, involving 78.8 million records of its plan members. Anthem Inc. settled a class action lawsuit with breach victims for $115 million.

To combat phishing, a combination of proactive measures is required, including an email security tool to prevent nefarious emails from reaching inboxes, a web filter for blocking access to malicious websites, antivirus software on all endpoints, an intrusion detection system for identifying suspicious activity, and security awareness training.

Cross-site scripting (XSS)

XSS occurs when an attacker injects malicious code onto the HTML pages displayed to users. When the code is executed by the victim’s browser, it performs deleterious actions, such as compromising PHI.

In 2019 Mission Health – North Carolina’s sixth-largest health system – disclosed a data breach caused by XSS. The attack, which injected malicious scripts into Mission Health’s e-commerce web application, wasn’t detected for three years. 

This threat to the healthcare sector intensified during the pandemic: in December 2020, cross-site scripting (XSS) attacks spiked 43%, accounting for the majority of overall web application attacks.

To shield your website from XSS, you must validate and sanitize all client-side user input. Any input that is used as part of HTML output introduces a risk of an XSS attack, so be as vigilant about input from authenticated and/or internal users as you would public input. Encode user-generated content before displaying it on web pages to prevent the browser from interpreting it as executable code.

SQL injection 

This vulnerability occurs when an attacker inserts malicious SQL (structured query language) code into input fields of a web application's form or URL parameters to manipulate the application's database.

In 2015, Medical Informatics Engineering (MIE), an American electronic health records software firm, published a notice that attackers had breached patient data in its WebChart web app. The attacker introduced an SQL injection exploit into the company database, which impacted the PHI of 3.9 million patients.

Prevention of this pervasive threat requires input validation and parameterized queries, including prepared statements. This will empower you to filter inputs, restrict database code, restrict database access, and maintain and monitor the application and database.

Data leakage

Occasionally, cybercriminals don’t have to circumvent an organization’s cybersecurity perimeter because the back door is left open to them by the unauthorized or unintentional exposure of sensitive information.

Known as data leakage, this typically occurs via the web and email, such as an employee sending a message to the wrong recipients, flaws in security policies, and unpatched vulnerabilities in software. It can also happen when USB keys or laptops are left unattended or when a disgruntled employee leaks sensitive information.

In 2023, HCA Healthcare revealed it suffered a major data leakage affecting approximately 11 million patients. The private healthcare provider, which has 180 hospitals and over 2,300 sites in the US and UK, said the information was posted on an online forum “by an unknown and unauthorized party”.

Robust data leakage prevention is performed across four key stages:

• Monitoring: gather information on all user sessions and attribute levels of risk to each vendor based on its behavior.

• Risk mitigation: achieve visibility and control over the sensitive data being inserted on web forms and which vendors are accessing and transferring sensitive data from them to block unauthorized access.

• Script control: gain control over all first and third-party script behavior by enforcing comprehensive data access rules to block unauthorized activity.

• Regulatory compliance:  comply with the Payment Card Industry Data Security Standard (PCI DSS) – the global card industry security standard.

Third-party tracking software

Third-party tracking refers to snippets of code on multiple websites that trace or assist in tracking the user’s visit – usually without their explicit consent – to monitor, collect, and send data about their browsing history to third parties.

The resulting information is leveraged for targeted advertising, analytics, or behavior profiling. Unfortunately, a lack of understanding about this software sometimes results in the information being transferred to unauthorized third-party tech companies illegally.

In the UK, it’s been revealed that NHS trusts shared details about patients’ medical conditions, appointments, and treatments with Facebook without consent.

An Observer investigation in 2023 uncovered the Meta Pixel covert tracking tool in the websites of 20 NHS trusts, which collected user browsing information – such as details about patients’ medical conditions, appointments, and treatments – and shared it with the tech giant for a sustained period, having promised not to.

A robust vendor selection process will ensure healthcare providers embed third-party tracking tools that prioritize compliance with regulations like HIPAA in the US or GDPR (General Data Protection Regulation) in the EU. Healthcare providers can then focus on implementing best practices for tracking software security, such as implementing encryption and access control.

Application Programming Interface (API)

Healthcare API traffic is growing exponentially amid a need to share information between different medical systems, communicate data to other organizations, and share medical records with patients’ personal health and well-being devices. 

These software interfaces facilitate this vital transmission of healthcare data, presenting enticing vulnerabilities for cybercriminals to exploit – from weak API authentication protocols to the injection of malicious code or commands into APIs through user input fields. According to research, 78% of healthcare organizations experienced an API security incident in the 12 months to September 2023, up 9% from 2022. 

In 2022, the mental health app Feelyou exposed over 80,000 of its users' email addresses. Until it issued a patch, anyone could obtain the personal email addresses of users and link them to anonymous posts by accessing the app’s GraphQL API, which didn’t require authentication.

Robust API security that protects these backend frameworks from cyberattacks is underpinned by:

• Authentication mechanisms that verify the identity of clients accessing an API

• Authorization that ensures clients only have access to the resources they are permitted to use

• HTTPS (HTTP Secure) to encrypt data transmitted between clients and the API server

• Validation and sanitization of all input data received from clients to prevent common security vulnerabilities such as SQL injection and XSS.

Conclusion

The diagnosis for healthcare is bleak amid the proliferation of cyberattacks: the sector reported data breaches costing an average of $10.93 million per breach in 2023 – almost double that of the financial industry, which came in second with an average cost of $5.9 million.

To help cure this cyberattack epidemic, you should plug the biggest gap and exposed area across healthcare organizations today: the client-side.

An efficacious protection solution includes a web application and API protection suite that creates a web application firewall, bot management, vulnerability management, anti-phishing, and client-side protection. This comprehensive approach will reinforce your existing application security program against cyberattacks from all angles.