Combatting advanced threats against healthcare

Gary Sockrider, Principal Security Technologist, Arbor Networks
Gary Sockrider, Principal Security Technologist, Arbor Networks

It’s probably obvious to anyone these days that every single business that collects any type of personal information, payments or data from customers is now solidly in the crosshairs of attackers looking to steal that information. This is true for every type of organization from financial institutions to universities to retail stores. Even some of the biggest firms in the world, with seemingly the most robust defenses, are not immune to getting breached. Home Depot, Target, Sony Pictures, and so many others have lost millions of dollars and the personal information of customers and employees alike. Nearly every day it seems like a new organization joins the long list of victims.

While it’s easy to say that everyone is in the same boat, for healthcare organizations, the news is bound to get worse as the frequency and complexity of those attacks is increasing faster against healthcare than almost any other group. Driven by a rising value placed on stolen patient information and its usefulness in committing secondary crimes such as identity theft, it’s not a question of if, but instead of when, any healthcare organization will be breached. This trend will unfortunately continue until defenses catch up with the skill and sophistication of today’s advanced attackers.

Current cyber defenses

Most healthcare organizations are not defenseless. Over the years many healthcare providers have solidified their defenses with tools and devices to harden their network perimeters. These include tools such as Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), firewalls, and Security Information and Event Management (SIEM) systems. Larger organizations might even have a dedicated security analyst, if not a 24-hour Security Operations Center (SOC). 

Most of these tools work together, and are arranged in a perimeter and core structure designed to turn away attacks at the gate. For example, an IDS works by passively detecting threats based on known signatures or statistically anomalous behaviors. IPS works to actively prevent intrusions by dropping malicious packets, resetting connections or blocking all traffic from IP ranges that are known to support malware.

SIEMs were more recently deployed to back up IPS/IDS systems. They provide a centralized security console displaying information about network health and activity in real-time or near real-time. The SIEM can be monitored by a human, who can respond to generated alerts right away to take whatever mitigation actions are needed, and the Event Management component can automatically direct responses as appropriate.

All of these defenses are effective against known threats. Even working alone, an IPS/IDS system on a busy network can block hundreds or thousands of attacks every day that otherwise might breach the perimeter. The problem is that healthcare organizations are not being successfully attacked by known threats. The culprit in most cases is the Advanced Persistent Threat (APT), a stealthy creation designed specifically to defeat even the most advanced perimeter defenses over time.

Advanced persistent threats

APTs have been around in one form or another since at least 2005, but it was not until 2011 that they began getting attention. The National Institute of Standards and Technology describes an APT as a program and an effort that “achieves its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltration of information…the APT pursues its objectives repeatedly over an extended period of time; adapts to defenders’ efforts to resist it; and is determined to maintain the level of interaction needed to execute its objectives.”

APTs generally use a combination of techniques to breach a network, including previously unknown vulnerabilities sometimes called zero-day exploits. Teams working with APTs might also troll social media channels for employee data, using that to craft realistic spear phishing e-mail probes designed to mine even more information. They might even employ tactics such as corrupting web pages that employees are likely to visit, or which employees can be steered into visiting. When an APT is caught and eliminated, the attackers use that data to create a different attack with a better chance of succeeding on the next attempt. They can keep trying for months or years at a time depending on how much they want to capture specific information protected by the target organization.

The other factor that makes APTs so successful is that once an APT has entered a network, it can be very difficult to detect, since its function is quite passive, either the slow exfiltration of data or finding holes for more powerful follow-up attacks. Plus, most perimeter defenses only look one direction. Once an APT is inside the network, it bypasses that security and can remain undetected for months or years at a time.

Specific threats and concerns in healthcare

Perhaps one of the most eye-opening looks into the seriousness of the threats against healthcare organizations was a 2014 study conducted by the Ponemon Institute that looked at a large number of healthcare providers in the United States. According to the study, during the months-long survey period, 375 healthcare related organizations had their networks compromised, making up an incredible 94 percent of the organizations surveyed. There were 49,917 unique malicious events detected during that time, which were launched from 723 malicious source IP addresses. In addition to the data breaches, malicious traffic was detected coming from exploited medical devices, conferencing systems, web servers, printers and edge security technologies all based inside healthcare organizations.

It’s probably no surprise then that some of the biggest breaches lately have been within healthcare. Anthem Healthcare had 80 million records stolen. Premera lost 11 million records. CareFirst’s total was 1.1 million compromised records, and the list goes on and on.

In addition to lost customer confidence and revenue following a breach, healthcare organizations can sometimes be additionally penalized should patient records not be adequately protected. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires that health records be portable enough to follow patients wherever they need to go within the healthcare system, yet also requires that those records be protected. In 2009, HIPAA got some additional teeth with the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which stipulated that fines could be as high as $1.5 million for each and every violation of healthcare information security.

The prescription for healthcare security

The clear takeaway from all of this is that healthcare organizations need to reexamine their approach towards cyber security. Just as the healthcare industry has protocols and procedures relative to deadly pathogens and infectious diseases, the same rigor and attention to methodology needs to be applied relative to cyber security breaches.

Current perimeter defenses should of course be maintained. However, just like preventive care can’t completely stop someone from occasionally getting sick, perimeter defenses can no longer guarantee the safety of a healthcare provider’s network. Healthcare organizations need to expect to be breached at some point, and have a plan in place to backup perimeter defenses when they are circumvented by stealthy APTs.

One of the biggest missing links in healthcare defense is the ability to monitor lateral movements of users and programs inside the network perimeter. Just because an APT has snuck inside does not mean that millions of records are going to be instantly compromised. The threat needs to perform reconnaissance within the network to establish its foothold, locate elevated credentials, infect more systems and contact its command and control servers. All of these activities can be detected by cyber security programs designed to examine the entire network as a whole and not just the traditionally protected gateways.

Threat intelligence is also sorely lacking in current defenses. Looking back at the Ponemon study, there were over 700 IP address ranges used to launch threats, many of them previously unknown as malware hosts. If a threat intelligence program could correlate that data by points as obscure as the phone numbers used to register domains, then many of those addresses could have been flagged as malware launching points before they even sent out their first bytes. Using external data like that in conjunction with invaluable information gleaned from APTs that are captured after a breach, a clearer picture of who the attackers are, what data they are trying to compromise and what techniques they are using can be formed. Attacks will no longer be seen as a series of disparate events, but as components of a larger campaign being launched against an organization.

Armed with that knowledge, healthcare organizations can plan specific defenses to stop individual attackers targeting them, and even predict where and how they will try to strike next. And sharing information about attackers and techniques within the healthcare community, something most advanced threat intelligence programs also offer, means that all organizations can benefit from that information without first having to be attacked themselves. In a sense, this can turn one of the APTs biggest assets, it persistency, against it as defenders learn to consistently counter those threats.

Most threat intelligence programs can be installed quickly alongside existing perimeter defenses, and can even detect threats that are already inside a network. The bad guys and their APTs might seem to have the upper hand now, but with threat intelligence, the tide will eventually turn against APTs. Every healthcare provider that adds threat intelligence and begins to share its threat data makes the community stronger, and eventually that strength and intelligence will overcome this very insidious threat.

Advanced Persistent Threat, APT, Arbor Networks, Health Information Technology for Economic and Clinical Health, Health Insurance Portability and Accountability Act, HIPAA, HITECH, Ponemon Institute


Please follow and ‘Like’ us


© HIT Leaders and News, a GO Digital Media & Publishing LLP publication. All rights reserved.