James Barrett, senior director at network monitoring company Endace, discusses how healthcare organisations can stay on top of cybercrime regulations and minimise data breaches.
Looking at the volume of security breaches by industry, the number of healthcare related cyber incidents worldwide far outweighs the number breaches seen by any other sector.
According to research by Citrix ShareFile, and the 2017 Ponemon/IBM “Cost of Data Breach Study,” hospital hacks during 2017 in the US alone numbered 328 breaches with an estimated total cost of $1,187,360,000. To give you an idea of scale, the technology sector was in second place, experiencing 48 breaches with an estimated total cost of $173,760,000. That’s an order of magnitude difference between first and second place.
In the broader scope of cybercrime, patient information is a valuable and lucrative commodity: the powerful combination of date of birth, social security numbers, and full name opens a lot of doors. Once a malicious actor gains credentialed access to internal systems, all PII (personally identifiable information) and PHI (Protected Health information) is at high risk of exfiltration. Additionally, services to patient-related scheduling, diagnostics and other critical services can be disrupted.
Healthcare organisations are also attractive targets because as technology environments, they are very “open.” There are a huge number of consultants, doctors, specialists and others that need access to patient records and hospital systems, making it extremely hard to protect (PII) data. Regulatory pressure is mounting, with HIPAA and other regulations in the US, GDPR in Europe, and PIPEDA in Canada increasingly being rolled out in an attempt to force organisations to be more accountable for protecting the PII data they hold.
So, while struggling for funding and resources, how can healthcare organisations stay on top of these regulations and minimise what is quickly becoming a data breach epidemic? The following use cases describe how two healthcare organisations are recording their network traffic to help them defeat malware attacks and credential phishing, to maintain network security.
Hitting malware where it hurts
Before using a continuous network packet capture solution, the security team at a large, high-profile hospital in the US relied on ad-hoc workflows for investigating security alerts. It was dependent on other departments to provide it with firewall, server and network logs in order to piece together evidence to investigate cyber-attacks such as malware – one of the more serious and frequent threats the organisation faces.
Previously, when a malware threat was detected, the origin domain of the malware attack was identified and the IP address of the targeted host machine was simply entered into an “infected systems” group. This triggered a firewall rule to isolate the infected host until the team could investigate whether the machine was actually infected, and what the level of exposure to the organisation was. But, infections were not always detected and the resolution process was slow and unreliable, putting patient and employee data at risk.
After a thorough analysis of possible solutions, the organisation turned to continuous high-speed packet capture technology. Packet capture enabled the organisation to record its network traffic, providing a complete and highly accurate history of everything that happened on the network.
This recorded network history gave the security team’s analysts the definitive evidence they needed to investigate security threats and potential data breaches quickly and conclusively, and to understand the level of exposure the organisation faced – and do it quickly through a documented repeatable workflow.
Now, when a malware attack is detected, the relevant packet data can be quickly extracted. The malware file is then reconstructed from the packets and is tested using a malware analysis sandbox service to determine if it is malicious or benign. The organisation’s security team now has the definitive evidence it needs to investigate and respond to malware attacks quickly, and to be certain whether suspect hosts are infected or not – so analysts can focus their attention on dealing with the infected ones.
Stopping credential theft phishing attacks in their tracks
Another US healthcare organisation was using Proofpoint for email protection, but was spending considerable time and effort on investigating phishing attacks to try and determine whether users’ credentials had been successfully phished or not. Often, the team couldn’t tell for sure, so were forced to change the user’s password on any internal systems as a precaution, and also had to let the user know to change all their personal passwords too, just-in-case.
After implementing a continuous packet capture platform, the organisation can now quickly find and analyse traffic relating to phishing alerts using the IP, date and time range of the alert. The vast majority of these phishing attacks use non-encrypted web pages to entice the victim to enter their credentials, and the analysts can examine http transactions in the packet history to determine whether the user did, in fact, enter their credentials or not.
This has meant that the security team can now stop credential theft attacks in their tracks. If attacks are successful, they can immediately disable the relevant account (if it’s an account they have control over) and alert the victim. It also allows them to help users to keep their personal information safe. For example, analysts can pick up attempts to phish user’s personal credentials – such as online banking credentials – and alert the user to change their password if they see the phishing attempt was successful.
These use cases go to show how implementing packet capture can help healthcare organisations and their network operations and security teams to be more agile and efficient, and to obtain a ‘definitive source of truth’ in order to resolve issues quickly.