A class of denial-of-service attacks exploiting two built-in features of the HTTP/2 protocol is drawing new scrutiny from the healthcare and telecommunications sectors, where the consequences of degraded network availability can extend well beyond a slow website. The technique, described by researchers as an "HTTP/2 bomb," achieves traffic amplification without the volume of upstream packets normally required to sustain a large-scale DoS campaign — meaning smaller threat actors can generate outsized disruption with limited resources.

The structural problem

HTTP/2 was designed to make web communication faster and more efficient. Two of its core mechanisms — header compression (HPACK) and server push — were built to reduce redundant data in transit. The exploit turns that efficiency against the server: a compact, malformed request expands dramatically as the receiving system processes it, consuming CPU cycles and memory far in excess of what the attacker had to send.

The amplification dynamic matters because traditional DoS defenses are often calibrated to detect volumetric anomalies — high packet counts, large payload sizes. An attack that arrives in a small envelope and detonates on the receiving end can pass through those thresholds undetected until services begin to degrade.

Why healthcare is a named target

Healthcare organizations appear in the same threat category as telecommunications providers because both sectors run internet-exposed infrastructure that must remain continuously available. Patient portals, telehealth platforms, lab-interface endpoints, e-prescribing gateways, and API connections between EHR systems all depend on uninterrupted HTTP availability. A successful HTTP/2 bomb attack against any of those endpoints could delay medication orders, interrupt remote visits, or sever the data feeds clinicians rely on during active care.

Smaller independent practices are not insulated from this class of attack. Many rely on shared hosting infrastructure or regional internet service providers that sit in the same target profile as larger health systems, and may carry fewer redundancy options when services go down.

What this signals for network and application defenses

The exploit shows that protocol-level design decisions made years ago can become attack surfaces when threat actors study them carefully. HTTP/2 is now deeply embedded across healthcare IT — any organization running modern web applications, APIs, or cloud-hosted patient-facing services is likely running HTTP/2 without explicit awareness of it.

Several defensive considerations apply:

• Rate limiting at the HTTP layer. Controls that count requests per connection and enforce per-stream limits can blunt amplification before it reaches application logic.
• Web application firewall rule updates. Rulesets that have not been updated to account for HTTP/2-specific attack patterns may treat malformed-but-small requests as benign.
• Infrastructure vendor communication. Organizations using cloud-hosted or managed application delivery infrastructure should confirm with those providers that mitigations for this specific exploit class are active.
• Incident response planning for availability events. A DoS scenario is distinct from a data breach but still constitutes a potential HIPAA availability violation. Response plans should account for coordinated service restoration, not just data recovery.

What the next review cycle should address

The HTTP/2 finding reflects a broader pattern in healthcare network risk: protocol assumptions built into infrastructure are rarely revisited until an exploit surfaces. Security reviews that focus primarily on access control and encryption may not examine how the organization's web-facing stack handles malformed or amplified HTTP/2 traffic. Including application-layer protocol behavior in annual risk analyses — a requirement under the HIPAA Security Rule's technical safeguard provisions — gives compliance teams a more accurate picture of where availability risk actually sits.