A newly documented denial-of-service technique, dubbed the HTTP/2 "bomb" attack, exploits protocol-level features designed to reduce bandwidth consumption and turns them into amplification engines capable of overwhelming server infrastructure. Researchers flagging the threat have specifically named telecommunications providers and healthcare organizations as high-risk targets — a pairing that matters because many hospital networks and health system web services run on infrastructure that depends on HTTP/2 for performance.

How the exploit works

HTTP/2 introduced two mechanisms to make web communication more efficient: header compression (HPACK) and server push. Both were designed for legitimate bandwidth reduction. The attack technique abuses those same features to force a target server to expand a small inbound request into a disproportionately large processing load — a classic amplification pattern, but embedded inside an otherwise normal-looking protocol exchange.

Because the malicious traffic arrives formatted as valid HTTP/2, conventional packet-inspection rules that watch for obviously malformed traffic may not flag it. The amplification happens at the application layer, which means the damage accumulates inside the server before network-perimeter tools register an anomaly.

Why healthcare exposure is distinct

Healthcare organizations face compounding risk from this class of attack for two reasons. First, patient-facing web services — scheduling portals, telehealth endpoints, lab result portals, and e-prescribing gateways — increasingly run over HTTP/2-capable infrastructure. A sustained denial-of-service event against any of those endpoints constitutes a clinical availability problem, not merely an IT inconvenience.

Second, many independent and mid-size practices rely on third-party hosting or managed services where HTTP/2 is enabled by default and server-level configuration is not directly under the practice's control. That means the mitigation burden often falls on a vendor or managed service provider rather than on the practice's internal team — a dependency that warrants explicit conversation with those vendors.

What the threat signals about protocol-layer risk

The HTTP/2 bomb technique illustrates a broader pattern that healthcare security teams should register: protocol features adopted for efficiency can become attack surfaces when threat actors study specification-level behavior more carefully than defenders do. HTTP/2 adoption in healthcare has accelerated alongside the push for faster API-based interoperability under ONC rules, meaning the attack surface has grown in step with the regulatory mandate to open up data exchange.

Organizations running HTTP/2-enabled endpoints should confirm with their infrastructure teams or service providers that request-rate limiting is applied at the application layer, that HPACK table size limits are configured conservatively, and that server push is disabled if it is not actively used — each of these reduces the amplification headroom the attack depends on.

Where independent practices should focus

For practices that do not manage their own servers, the immediate step is asking their EHR vendor, telehealth platform, or web-hosting provider whether their HTTP/2 configurations have been reviewed against this attack class and whether any patches or configuration changes are planned.

For practices with internally managed infrastructure or on-premises web-facing components, a review of HTTP/2 server settings and application-layer rate controls is warranted. Denial-of-service events that take down patient-scheduling or telehealth systems can trigger HIPAA availability obligations under the Security Rule's contingency planning standards — an argument for treating this as a compliance matter, not only a network operations matter.