Legacy systems, devices emerge as security ‘weak links’

Legacy systems and medical devices are emerging as weak links to protecting patient data, even as ransomware attacks wane.

Those are findings from a recent review of cyber incidents in the healthcare industry conducted by Vectra, a company specializing in network threat detection and response.

Its 2019 Spotlight Report on Healthcare contends that the proliferation of Internet of Things devices in healthcare—along with unpartitioned networks, insufficient access controls and continued reliance on legacy systems—enables cybercriminals to exploit “a vulnerable attack surface” that puts personally identifiable information (PII) and protected health information (PHI) at risk.

Vectra’s report contends it’s imperative for healthcare organizations to use machine learning and artificial intelligence “to detect hidden threat behaviors in enterprise IT networks before cybercriminals have a chance to spy, spread and steal.”

“Machine learning and AI can assist healthcare organizations in better securing networks, workloads and devices, and provide data security by analyzing behaviors across systems,” says Jon Oltsik, senior principal analyst at Enterprise Strategy Group, in commenting on the Vectra findings.

According to ESG research, “12 percent of enterprise organizations have already deployed AI-based security analytics extensively, and 27 percent have deployed AI-based security analytics on a limited basis,” Oltsik adds. “We expect these implementation trends will continue to gain.”

Medical IoT devices are increasing the attack surface for healthcare organizations, but present challenges for protecting them, including outdated operating systems and a multiplicity of devices across most healthcare organizations—oftentimes, with little IT awareness of where they are being used or the status of system patches, Vectra research affirmed.

Morales-Chris-CROP.jpg

“Healthcare organizations struggle with managing legacy systems and medical devices that traditionally have weak security controls, yet both provide critical access to patient health information,” says Chris Morales, head of security analytics at Vectra. “Improving visibility into network behavior enables healthcare organizations to manage risk of legacy systems and new technology they embrace.”

“The increase in medical IoT is beneficial for patients but makes securing healthcare systems a challenge due to limited security controls around these devices,” adds Brett Walmsley, chief technology officer at Bolton NHS Foundation Trust, which provides inpatient and outpatient healthcare services in Bolton and the surrounding area northwest of Manchester, England. “Having the visibility to quickly and accurately detect threat behaviors on and between all devices is the key to good security practice, regulatory compliance and managing risk.”

Vectra’s 2019 Spotlight Report on Healthcare is based on observations and data from the 2019 RSA Conference Edition of the Attacker Behavior Industry Report, which reveals behaviors and trends in networks from a sample of 354 opt-in enterprise organizations in healthcare and eight other industries. In addition, from July through December, Vectra’s Cognito threat-detection and response platform monitored network traffic and collected metadata from more than 3 million workloads and devices from customer cloud, data center and enterprise environments.

Key findings from the 2019 Spotlight Report on Healthcare include:

  • The most prevalent method attackers use to hide command-and-control communications in healthcare networks was hidden HTTPS tunnels, representing external communication involving multiple sessions over long periods of time that appear to be normal encrypted web traffic.
  • The most common method attackers use to hide data exfiltration behaviors in healthcare networks was hidden domain name system (DNS) tunnels. Behaviors consistent with exfiltration can also be caused by IT and security tools that use DNS communication.
  • There’s been a spike in attackers performing internal reconnaissance in the form of internal darknet scans and Microsoft Server Message Block (SMB) account scans. Internal darknet scans occur when internal host devices search for internal IP addresses that do not exist on the network. SMB account scans occur when a host device rapidly makes use of multiple accounts via the SMB protocol that is typically used for file sharing.
For reprint and licensing requests for this article, click here.