Cloud technology player Zscaler looks at how to prevent the risk of cyber infection and the best way to remedy against ransomware using a global security cloud network.
Increasingly smarter malware, mobile employees and the rising adoption of cloud services pose new challenges to IT security in health care. But staying one step ahead of the cybercriminals and preventing your network from being infected with malicious code is a difficult undertaking. Cyberattacks are rapidly evolving and the lack of IT security experts is increasing. Automation of their IT security infrastructure using cloud security can help hospitals in the modernisation of their protective shields.
Since the Loki malware in 2016, ransomware infection waves have developed into a profitable business for cybercriminals. Such malicious programs, also called encryption Trojans, use encryption to prevent access to data or an entire network, and only allow access again after payment of a ransom. Patient data can no longer be accessed, and high ransom demands come into play, for example, if the IT systems in clinics are affected by ransomware. Patient care and the smooth operation of the clinic are ultimately at risk.
No wonder these targeted attacks on health care facilities are increasing. In 2016, Lukas Hospital at Neuss in Germany became the first to succumb to a successful cyberattack by encryption Trojans. The number of clinics attacked worldwide has increased ever since and reported cases have accumulated, especially within the past 12 months. In July 2019 alone, 11 hospitals of the German Red Cross South West support organisation were attacked.
A remedy against ransomware – the cloud sandbox
A single infected PC in any hospital is often sufficient to bring the facility’s entire network to a standstill. In the case of ransomware, this could have disastrous consequences to service. The primary objective of an IT security department in clinics must, therefore, be to proactively prevent the initial infection by this “patient zero.” A cloud-based sandbox, in combination with a security proxy, acts as robust protection against such attacks. This provides real-time malware checking of the entire incoming and outgoing data traffic.
Such an approach is one step ahead of traditional hardware-based, on-premises security concepts due to its ability to perform inline scanning of all data traffic in real time. A cloud-based sandbox can quarantine a suspicious file and block it from being downloaded. In the course of behavioural analysis while in quarantine, if a file is indeed malicious, then the interplay between sandbox and proxy can prevent any “primary contagion” by blocking the malicious code.
A global security cloud automatically ensures that every other user worldwide will also be protected if a new malware sample has been identified for one user. This involves an immediate update of the malware signatures in the global security platform’s database – without manual interaction – and prevents a wave of infection. The cloud’s elastic scalability and resulting performance are also suitable for decrypting, examining and re-encrypting SSL/TLS data traffic to prevent attackers from hiding there and going unnoticed.
Legacy hardware security environments don’t inspect encrypted network traffic to avoid network performance issues, but this can open the organisation to increased attacks. The latest version of the HTTPS protocol for secure connections, Transport Layer Security (TLS) 1.3, results in the vast majority of internet traffic now being transmitted in encrypted form (91% of German traffic to Google is already encrypted according to the Google Transparency Report). Attackers take advantage of this development and hide their malicious program within these encrypted data streams, knowing full well that many organisations do not conduct comprehensive screening for hidden malicious code.
Automation of IT security as a therapy plan
Automating protective measures is becoming ever more important for hospitals, especially against the background of a shortage in IT security specialists. Health care attaches great importance to the highest possible security yet has to survive without qualified personnel, so automation via security-as-a-service provides a welcome remedy. A cloud-based security approach, which also utilises big data analytics, reduces the usual complexity of the interplay between various traditional hardware appliances by using the centralisation of many security solutions within the cloud platform. Such a service-based bundle of security modules from the cloud covers functionalities, such as URL filtering, next-generation firewall, behavioural analysis, web proxy, SSL scanning or log analysis, in a highly integrated manner. Coordination between the modules renders an external security information and event management (SIEM) system superfluous. False alarms can be avoided, and the cloud-based components correlate the logs with each other without affecting system speed.
The use of such a service model removes the internal effort in the administration of the security hardware. The service provider automatically makes up to 125,000 updates per day – a markedly higher frequency than would be possible manually. This eliminates the typical errors from manual administration and any outstanding gaps due to lagging updates.
A hardware-based security infrastructure means the data from different components, such as virus scanners, URL filtering and APT detection, is often fed into a SIEM system as the individual appliances cannot communicate with each other. This means a complex analysis process needs to be applied downstream, which also raises false alarms.
A cloud security service, conversely, merges the logs of various security features automatically so there is not only a clear alarm in response to malware, but also the ability to immediately block the malicious code. If a hospital is attacked, for example, the intelligent interplay of security components within a highly integrated cloud platform detects what is happening in the network and immediately introduces countermeasures – in real time.
Infection from “patient zero” is therefore nipped in the bud.