Security

How Healthcare Websites Can Battle an Increase in Bad Bot Traffic

Increased digitalization in the medical field has created a larger attack surface for malicious actors. CAPTCHAs and other technologies can protect sites from cybersecurity threats.

Nathan Eddy

Nathan Eddy works as an independent filmmaker and journalist based in Berlin, specializing in architecture, business technology and healthcare IT. He is a graduate of Northwestern University’s Medill School of Journalism.

Bad bot traffic is on the rise as nations race to make COVID-19 vaccines available to their citizens and healthcare becomes increasingly digitized, forcing healthcare organizations to rethink their security and IT infrastructure strategies.

According to a recent survey from Imperva, healthcare websites saw a 372 percent increase in bad bot traffic globally between September 2020 and February 2021, with bot traffic soaring nearly 50 percent in February alone — the largest increase over the past year.

As bot traffic reaches unprecedented levels, healthcare organizations need to redouble their efforts to prevent bad bot traffic from impacting their care efforts, says Edward Roberts, Imperva’s director of strategy and application security.

“The volume of bad bot traffic is 25.6 percent of all internet traffic. That means 1 in 4 requests is a bad bot, and it’s doing something to your site,” he says. “If your healthcare website gives someone the ability to log in, be it a patient or a doctor, those login pages are under attack. That is a guarantee.”

The Negative Effects of Bad Bot Traffic on Healthcare Sites

Roberts explains that bad bots can wreak havoc in various ways, from slowing down websites to posting messages that include links leading to phishing attacks.

Because healthcare organizations hold so much valuable personally identifiable information (PII), malicious actors can do immense damage with the information behind that login if they can authenticate and get through.

Even so-called helpful bots — those that scrape for vaccine availability, appointments and inventory checking — can have a negative effect on healthcare websites.

“Healthcare security leaders should be focused on protecting their login pages and preventing bad bot traffic from being able to authenticate, which blocks the downstream effects of that attack,” Roberts says.

Stopping Bad Bots Requires an Agile Security Strategy

Deploying technology to protect all potential access points — including websites, mobile applications and application program interfaces (APIs) — can prevent bad bots from authenticating. For example, bot management tools such as CAPTCHAs require users to click on photos or deploy other techniques to prove they are human.

“What you want to do is put as many hurdles as possible in the way of these bots, so that they are cleaning out this traffic continuously,” he says. “You need an automated solution to tackle an automated problem, and that means technology that is working around the clock.”

Roberts adds that an IT team first must understand where the bots are going on their website — for example, which login pages are being targeted — and start putting in extra tools to clean out that traffic.

“They have to decide where that solution is going to be deployed, whether across the whole site or just on certain pages,” he says. “It can be different for a pharmacy than it would be for a doctor listing on a hospital site.”

The expanded attack surface created by the digitalization and consumerization of healthcare has exacerbated bad bot traffic.

“You’ve got a website and APIs that feed it, then you have APIs for the mobile app, and your attack surface is quite large, so you need security tools that manage the mobile apps and security tools that look after the APIs,” Roberts says.

The security strategy must be agile and able to evolve as bot operators work to disguise bots to appear more human, he warns.

“There are tools bot operators have created, like CAPTCHA farms, to get around the obstacles security teams put up,” he says. “Bots are now looking more and more human, mimicking human behavior and trying to evade detection.”

Meanwhile, account takeover attacks, such as credential stuffing and credential cracking, are becoming increasingly common as more PII is available online, spurred in part by the move to web-based interactions forced by the pandemic.

“We’re seeing the amount of use cases increase as people move more functionality online and bot operators know they can steal information,” says Roberts. “We’re just seeing the start of the bot problem.”

Igor Kutyaev/Getty Images