Cybercriminals are increasingly targeting provider organizations’ patient portals in an attempt to break into patient accounts and steal their protected health information.

Still, more than half (58%) of healthcare organizations believe that the cybersecurity of their patient portal is above average or superior when compared to other portals, according to a recent LexisNexis Risk Solutions report, “The State of Patient Identity Management.”

The survey finds that 93% use username and password as the patient portal authentication method, while 65% deploy multifactor authentication.

Cybercriminals won’t stop

But that might not be enough in the crazy criminal climate on the internet today.

In order to conduct patient portal attacks on a massive scale, criminal hackers use bots to automate the tasks of credential stuffing – testing stolen log-in credentials from previous breaches – and data scraping – harvesting the information from the accounts they are able to crack.

This is a widespread problem: 96% of log-in pages overall were hit with bad bots in 2016, according to a research report from Distil Networks, a cybersecurity company that specializes in bot detection and mitigation. Further, 20% of all web requests overall come from bad bots, and every business is under attack, the research showed.

“In healthcare, with more patient information increasingly available online in patient portals, and because of the sensitive nature of patient data and personal identifying information (PII), the concern over credential stuffing is increasing,” stated Edward Roberts, senior director of product marketing at Distil Networks. “If someone can access your account online, they can see any information within that account like private patient information, test results and prescriptions.”

Stuffing and cracking

The Open Web Application Security Project (OWASP) in its Automated Threat Handbook defines two automated threats that use credentials, with a distinction between the two:

• Credential stuffing – Mass log-in attempts used to verify the validity of stolen username/password pairs.
• Credential cracking – The practice of identifying valid log-in credentials by trying different values for usernames and/or passwords.

“Data breaches and credential stuffing are very closely related,” Roberts explained. “The increasing volume of stolen credentials from data breaches is creating a worsening bot problem for any online business having a log-in page. Bots are used by criminals to test the viability of stolen credentials. Every new data breach sees an increased availability of credentials and leads to higher volumes of bad bot traffic.”

With more than 14.7 billion credentials stolen since 2013, according to the Breach Level Index, the problem is already significant – and only getting worse.

"In healthcare, with more patient information increasingly available online in patient portals, and because of the sensitive nature of patient data and personal identifying information (PII), the concern over credential stuffing is increasing."

Edward Roberts, Distil Networks

Bot operators make two assumptions. The first is that people reuse their credentials on many websites. The second is that newly stolen credentials will be more likely to still be active. This is why healthcare organizations should anticipate bad bots running these credentials against their patient portals after every new breach.

Protecting against credential stuffing

So how does a healthcare provider organization protect its patient portal from credential stuffing? Roberts has some key tips.

“There are different security techniques to protecting patient portals,” he said. “First, there is good identify and access management practices including adding multi-factor authentication. Rate-limits could be put into place to prevent multiple attempts to log-in from the same computer. But ultimately a solution preventing the automated testing of credentials is required.”

By determining which traffic is from a real human versus which traffic is from a bad bot helps eliminate automated account takeover attacks, he added. Credential stuffing can be performed volumetrically very quickly or “low and slow,” making a few requests at a time every hour of every day. Monitoring a rise in failed log-in attempts is a good leading indicator that a patient portal is currently under a credential stuffing attack, he advised.

After a successful credential stuffing attack on a healthcare provider organization’s patient portal comes data scraping. Web scraping, or scraping, is a computer software technique of extracting information from the internet, usually transforming unstructured data on the web into structured data that can be stored and analyzed in a central database.

Bots do the scraping

The key culprits behind web scraping are bots, a software application that runs automated tasks, or scripts, over the Internet. Bots typically perform tasks at a much higher and faster rate than humans alone.

“In healthcare, there is content that would be attractive to regularly scrape,” Roberts explained. “For example, contact lists of doctors or medical professionals might be scraped to target for phishing attempts, health insurance plans could be scraped by competitors for competitive intelligence, fees for medical services or products could be scraped.”

The systematic automated scraping of content is rampant all over the internet. The solution is the same as for preventing credential stuffing: Healthcare organizations need to clean their traffic to remove abusive bad bots, Roberts contended. By only allowing human traffic, scraping will be reduced, he said.

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com
Healthcare IT News is a HIMSS Media publication.