API Vulnerabilities and USB-Related Cyberattacks Identified

HIMSS has published its June Healthcare and Cross-Sector Cybersecurity Report, in which warnings have been issued to healthcare organizations about the risk of hackers exploiting vulnerabilities in application programming interfaces (APIs), tampering with cookies, distributed denial of service (DDoS) attacks, and man-in-the-middle attacks. Healthcare companies are likewise advised to be alert to the possibility that isolated networks may not be as secure as believed as a new attack method has been uncovered that could allow these isolated networks to be compromised using USB devices.

Improvements to perimeter defenses is making it harder for cybercriminals to gain entry to healthcare networks. As a result, alternative strategies are being used by hackers to gain access to healthcare data. API vulnerabilities are weak points that several cybersecurity experts believe could become a major new attack vector.

The use of APIs is now commonplace. It is quicker and easier to make use of a third-party apps than for healthcare organizations to develop their own applications, and APIs allow healthcare organizations to do that. According to a study by One-Poll, typically, businesses now handle 363 APIs and 2/3 of companies leave the APIs open to the general public or their business partners. Just like any software solution, when there are vulnerabilities, hackers will exploit them. Security Week’s Torsten George discussed a number of ways that APIs could be taken advantage of to access sensitive information.

By allowing the use of Unicode characters in domain names, cybercriminals can quickly create very convincing domains with homographs for use in phishing campaigns. For example, it is possible to use the Cyrillic small letter a to replace a regular a, or use the Latin small letter iota or the dotless i, to replace an i.

Eleven Paths has detailed another attack method that exploits hidden networks using USB devices. This method of attack can allow access to isolated computer systems not accessible via the Internet. If you just disconnect a computer from its WiFi connection and disconnect the ethernet cable, it may not be enough to prevent malicious actors from gaining access to the device.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/