Welcome!

Cloud Security Authors: Elizabeth White, Zakia Bouachraoui, Pat Romanski, Yeshim Deniz, Liz McMillan

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Blog Post

Prescribing Good to Find Bad Activity on Health Networks | @CloudExpo #Cloud #MachineLearning

In today’s challenging security world, it’s important to understand that attackers regularly target healthcare networks

The hype around data breaches in the health industry may seem commonplace and cause complacency. Last year, it was Anthem and Premera Blue Cross suffering attacks affecting nearly 90 million people combined. Among others, last month it was Banner Health - a nationwide health system based in Arizona - which reported a cyberattack affecting 3.7 million patients and customers.

This month the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) levied a $5.5M fine on Advocate Health Care Network, the highest penalty to date on a health care organization having a data breach that caused a violation of HIPAA. The fine is in addition to the other costs and damages facing Advocate Health Care Network.

In today's challenging security world, it's important to understand that attackers regularly target healthcare networks and, more specifically, Personally Identifiable Information (PII) and associated medical data. But could it really happen to your network, if you have the latest perimeter security installed?

The answer is unfortunately "yes." With enough motivation, a cybercriminal will target your health network and likely infiltrate it. History shows there is plenty of motivation to attack an organization in healthcare than any other market. According to a report from Trend Micro that analyzes cyberattack data over ten years, healthcare is the most attacked industry, with the greatest number of data breaches.

Protected Health Information (PHI) has an excellent resale value for cybercriminals, generating as much as ten times the value of other Personally Identifying Information (PII) or credit card details. Breach costs are $363 for each stolen healthcare record - the highest cost of any vertical market - according to a recent Ponemon Research report. Those costs will likely be higher with additional penalties, loss of business and reputation and other punitive damage.

Once a cybercriminal wants in, there is only the smallest fraction of a chance that they will be stopped over the long haul. No health network is 100 percent protected. Perimeter security might deflect 95 percent or higher of intrusion attacks, but complete protection is impossible. For example, penetration ("pen") testers are used by organizations to test their security. The best pen testers guarantee that they can break into a network within a couple of days, simply because there are far too many ways to find an unsecure path to the internal network.

These days hackers are so creative that installation of malicious software does not even require a user to click on anything, as drive-by installers are becoming commonplace. Malware may not even be involved in the attack, since there are thousands of ways to gain credentialed access to a health network. With an almost unlimited number of opportunities, attackers clearly have the advantage. If health organizations fail only once, they have lost the battle.

Once inside a health network, an attacker can stay completely hidden to do their work since very few healthcare organizations have the ability to detect an attacker in their network. Some tools may uncover signs of an attacker, but these alerts get buried under hundreds or thousands of other alerts, mostly deemed false positives. Security systems are notoriously inefficient and inaccurate since they warn about the never-ending presence of malware and each movement of a potentially suspicious activity. As a result, it would take sheer luck to detect a real network attacker amidst the thousands of alerts.

Searching for malware will reduce threats that may leak through perimeter security, but it will rarely uncover the activities of an attacker. The only way to find an attacker is to consider a different approach to security. Instead of looking for the technical attributes or artifacts of malware and other exploits, you must focus on the attacker's actions to quickly and accurately detect an active attacker in health organizations. Look for the activities they must do by necessity once they are in a new network that is unfamiliar to them to accomplish their objectives.

An attacker needs to explore the new network to discover and gain access to valuable information. They also need to move laterally across the network to work their way to assets they can commandeer. These attack activities are difficult to detect unless you know what "good" activities look like on your network. This "knowledge of good" comes from continuously profiling all users and devices, and learning their normal activities and habits. Once a baseline of good is established, the anomalous activities can be detected to determine those most likely to be "bad" or malicious.

Advanced machine learning makes this possible. Using a model of known good makes it possible to find the bad. These new techniques of using good to detect the activities of an attacker are emerging but are still not well known. Unfortunately, most health organizations seem stuck in the mentality of preventative security. It's been the focus for health IT teams for the past 20 years, and old habits die hard.

Most health IT people acknowledge that preventative security is not effective, and they realize that attackers get into networks. The FBI and Gartner both fully agree. Despite this, these IT pros focus on finding the latest technological improvement, hoping to finally make their networks fully secure. This gulf between admitting one thing and acting a completely different way is not the method to solve this problem.

The odds are extremely high that you won't be able to detect the attack until theft or damage has already occurred. The average for "dwell time," or the amount of time it takes network attackers to be found, is five months. Some take far longer, and the attacker quietly steals completely unnoticed. These cases might include a slow, methodical theft of Protected Health Information (PHI), or private health organization data. Others might involve using credentialed access from your health network to access the network of a partner, supplier or affiliated clinic.

The seriousness in the health industry remains very real. Fortunately, there are solutions being deployed that address these threats. A new approach focusing on known good is the prescription for health organizations to finally fend off network attackers and avoid costly breaches.

More Stories By David Thompson

David Thompson serves as the Senior Director of Product Management for LightCyber, responsible for assessing customer and market requirements, conducting sales and channel training and enablement, market education, and overall solution definition. He has been with LightCyber since late 2014.

Mr. Thompson has over 15 years of experience focused on information security. Prior to joining LightCyber, he served in Product Management leadership positions for OpenDNS, iPass, Websense, and Voltage Security (now HP). Prior to running product management at Voltage Security, he was a Program Director at Meta Group (now Gartner) responsible for security research topics including encryption, PKI, remote access, and secure network design. He holds a bachelors of science in Physics from Yale University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...