Healthcare organizations’ vulnerable attack surfaces can be better secured by utilizing machine learning and artificial intelligence (AI) to detect hidden threat behaviors, according to a new report from IT security company Vectra.
The report found that the proliferation of healthcare internet-of-things (IoT) devices, along with unpartitioned networks, insufficient access controls and the reliance on legacy systems, has exposed a vulnerable attack surface that can be exploited by cybercriminals determined to steal personally identifiable information (PII) and protected health information (PHI), in addition to disrupting healthcare delivery processes.
But, “machine learning and AI can assist healthcare organizations in better securing networks, workloads and devices, and provide data security by analyzing behaviors across systems," said Jon Oltsik, senior principal analyst at Enterprise Strategy Group. According to ESG research, "12 percent of enterprise organizations have already deployed AI-based security analytics extensively, and 27 percent have deployed AI-based security analytics on a limited basis. We expect these implementation trends will continue to gain."
This report is based on observations and data from the 2019 RSA Conference Edition of the Attacker Behavior Industry Report, which reveals behaviors and trends in networks from a sample of 354 enterprise organizations in healthcare and eight other industries. Motivated attackers often mask their malicious actions by blending in with existing network traffic behaviors, they found.
What’s more, gaps in policies and procedures can result in errors by healthcare staff members. Examples of these errors include improper handling and storage of patient files, which is a soft spot for cybercriminals when they target global organizations and industries looking for weaknesses to exploit, according to Vectra officials.
"The increase in medical IoT is beneficial for patients but makes securing healthcare systems a challenge due to limited security controls around these devices," noted Brett Walmsley, chief technology officer at Bolton NHS Foundation Trust, which provides in-patient and out-patient healthcare services to over 140,000 people in Bolton and the surrounding area northwest of Manchester, England. "Having the visibility to quickly and accurately detect threat behaviors on and between all devices is the key to good security practice, regulatory compliance and managing risk."
Others healthcare findings from the report included:
- While many organizations experienced ransomware attacks in recent years, ransomware threats were not as prevalent in the second half of 2018.
- The most prevalent method attackers use to hide command-and-control communications in healthcare networks was hidden HTTPS tunnels. This traffic represents external communication involving multiple sessions over long periods of time that appear to be normal encrypted web traffic.
- The most common method attackers use to hide data exfiltration behaviors in healthcare networks was hidden domain name system (DNS) tunnels. Behaviors consistent with exfiltration can also be caused by IT and security tools that use DNS communication.
- Botnet attacks are opportunistic and are not targeted at specific organizations. While botnet attacks persist everywhere, their rate of occurrence in healthcare is lower than other industries.
"Healthcare organizations struggle with managing legacy systems and medical devices that traditionally have weak security controls, yet both provide critical access to patient health information," added Chris Morales, head of security analytics at Vectra. "Improving visibility into network behavior enables healthcare organizations to manage risk of legacy systems and new technology they embrace."