The Negative Effects of Bad Bot Traffic on Healthcare Sites
Roberts explains that bad bots can wreak havoc in various ways, from slowing down websites to posting messages that include links leading to phishing attacks.
Because healthcare organizations hold so much valuable personally identifiable information (PII), malicious actors can do immense damage with the information behind that login if they can authenticate and get through.
Even so-called helpful bots — those that scrape for vaccine availability, appointments and inventory checking — can have a negative effect on healthcare websites.
“Healthcare security leaders should be focused on protecting their login pages and preventing bad bot traffic from being able to authenticate, which blocks the downstream effects of that attack,” Roberts says.
Stopping Bad Bots Requires an Agile Security Strategy
Deploying technology to protect all potential access points — including websites, mobile applications and application program interfaces (APIs) — can prevent bad bots from authenticating. For example, bot management tools such as CAPTCHAs require users to click on photos or deploy other techniques to prove they are human.
“What you want to do is put as many hurdles as possible in the way of these bots, so that they are cleaning out this traffic continuously,” he says. “You need an automated solution to tackle an automated problem, and that means technology that is working around the clock.”
Roberts adds that an IT team first must understand where the bots are going on their website — for example, which login pages are being targeted — and start putting in extra tools to clean out that traffic.
“They have to decide where that solution is going to be deployed, whether across the whole site or just on certain pages,” he says. “It can be different for a pharmacy than it would be for a doctor listing on a hospital site.”
The expanded attack surface created by the digitalization and consumerization of healthcare has exacerbated bad bot traffic.
“You’ve got a website and APIs that feed it, then you have APIs for the mobile app, and your attack surface is quite large, so you need security tools that manage the mobile apps and security tools that look after the APIs,” Roberts says.
The security strategy must be agile and able to evolve as bot operators work to disguise bots to appear more human, he warns.
“There are tools bot operators have created, like CAPTCHA farms, to get around the obstacles security teams put up,” he says. “Bots are now looking more and more human, mimicking human behavior and trying to evade detection.”
Meanwhile, account takeover attacks, such as credential stuffing and credential cracking, are becoming increasingly common as more PII is available online, spurred in part by the move to web-based interactions forced by the pandemic.
“We’re seeing the amount of use cases increase as people move more functionality online and bot operators know they can steal information,” says Roberts. “We’re just seeing the start of the bot problem.”