A class of denial-of-service attacks exploiting HTTP/2 protocol features is drawing attention from security researchers who say healthcare organizations and telecommunications providers face elevated risk. The technique, described as an "HTTP/2 bomb," manipulates mechanisms built into the protocol to conserve bandwidth — turning them into amplification vectors that can overwhelm servers with disproportionate traffic relative to attacker investment.

What the attack does

HTTP/2 was designed to make web communication faster and lighter. Two of its core efficiency features — header compression and stream multiplexing — allow servers to handle more data with less overhead. The HTTP/2 bomb exploit abuses both.

By crafting requests that trigger large decompressed payloads from small compressed inputs, an attacker can cause a target server to expand processing load far beyond what the incoming traffic volume suggests. The result is a DoS condition that can deny legitimate users access to web-facing services — including patient portals, scheduling systems, telehealth interfaces, and administrative platforms — without requiring the volume of traffic associated with conventional distributed denial-of-service campaigns.

The amplification ratio is what distinguishes this technique from standard DoS approaches. Attackers achieve significant server-side impact at lower bandwidth cost, which also makes the attack harder to detect through simple volumetric thresholds.

Why healthcare is a named target

Healthcare organizations rely on HTTP/2-capable infrastructure for a growing share of clinical and administrative workflows. Telehealth platforms, EHR web interfaces, and patient-facing portals commonly run over HTTP/2 to meet performance expectations. Any of those services going dark — even briefly — can interrupt care coordination, delay prescription processing, or block access to records during time-sensitive clinical decisions.

The sector's risk is compounded by a dependency on upstream telecommunications infrastructure. If carrier-level services are disrupted simultaneously, healthcare organizations may lose redundant connectivity paths that would otherwise help absorb or reroute attack traffic.

What this means for independent practices

Smaller and independent practices are less likely to operate dedicated traffic-scrubbing infrastructure or maintain relationships with network-layer DDoS mitigation providers. Web-facing services hosted through third-party vendors introduce a secondary dependency: if a vendor's shared infrastructure is targeted, multiple practice clients may experience outages simultaneously.

Practices that have not recently reviewed their internet-facing application stack should confirm whether HTTP/2 is enabled on servers handling protected health information, and whether their hosting or CDN arrangements include protocol-level rate limiting and anomaly detection. Vendor contracts should specify availability commitments and incident-notification timelines for infrastructure-layer events, not only data breaches.

What the broader pattern signals

This category of attack — exploiting protocol efficiency mechanisms rather than brute-forcing capacity — reflects a continued shift toward precision denial-of-service techniques that require less infrastructure from attackers. Healthcare's gradual shift to cloud-hosted, browser-accessed applications means its attack surface now includes the same protocol layer that web-scale platforms have hardened over years, but not all healthcare-sector deployments have kept pace with those mitigations.

Network and IT teams should treat protocol-layer DoS as a continuity risk alongside ransomware and data exfiltration, and ensure that business continuity planning addresses temporary loss of web-facing systems — not only the permanent data-loss scenarios that dominate breach response planning.