Why latency creates a large security risk
Healthcare industry and health record data breaches continue to make headlines, with several incidents this past summer, proving the escalation in attacks will continue to worsen as perpetrators see a major opportunity.
According to the Privacy Rights Clearinghouse, as of September, there were 87 breaches made public in 2016 that impacted healthcare and medical providers; this does not take into account health insurance organizations.
Why are healthcare organizations at such great risk? There are a number of reasons. First and foremost, they are a “one-stop-shop” where attackers can access both personally identifiable information (PII) such as addresses and Social Security numbers, but also financial information used in processing payments. Experts agree medical data has become increasingly valuable on the black market, and it’s why medical records are yielding a better return for attackers.
Beyond the attractive nature of the data and information up for the taking, healthcare organizations are notorious for not having sophisticated IT teams and for lacking the proper resources. The Sixth Annual Benchmark Study on Privacy & Security by the Ponemon Institute revealed that not only have healthcare organizations experienced an increased frequency of breaches, but they also lack the budget, people resources and expertise to manage data breaches.
To further complicate things, couple the fact that attackers are becoming stealthier and more sophisticated with the reality that healthcare organizations often lack the ability to detect attacks quickly enough to mitigate damage. What’s more, many records are accessible via a user device, regardless of where the records are stored or archived. In other words, we are seeing attackers target vulnerable systems, and this usually means endpoints within a hospital, hospital network or some other type of provider or payer.
Beyond not having next-generation technology, healthcare organizations lack an integrated approach for better leveraging data from whatever cybersecurity technology they currently have. For example, many are unable to get network endpoint and perimeter-based detections to work together to investigate incidents and attacks—both in real-time and after the fact.
This is where the latency—between the attacker gaining access to the organization identifying the attack—typically poses a major problem for security and IT administrators, because the more time attackers have to infiltrate, roam, exfiltrate and cover their tracks, the more challenging it is to defend against and uncover root cause.
To better understand the risks associated with latency, it’s important to break down a typical attack scenario. When an attacker enters a network, he begins his campaign and attempts to take command and control of a machine (or machines), usually by attempting to elevate themselves to the admin privileges necessary to control the box, while trying hard to not trigger any potential notification or alerting mechanisms in place.
A common tactic that attackers use early in the attack lifecycle is applying low-level evasion techniques, usually meaning they try to divert some attention, feel out the environment and observe what type of response they elicit from the host. Next, another common technique is identifying if antivirus agents are present, and disabling the antivirus, even when perimeter measures are in place, like a web-based firewall that cannot be disabled quietly.
And when no one is watching, the stealthy attacker will make his move laterally at just the right time and either push data to a new repository or delete files. The more time he has, the more aggressive he will be. The attacker doesn’t need much sophistication to move laterally as most organizations have security controls at the perimeter (north/south traffic in IT speak) but do not deploy network security controls between servers (east/west traffic).
After the data is exfiltrated, a savvy attacker will cover his tracks and do his best to leave limited artifacts behind. A forensics investigator can go back and trace the steps and the lateral movement, but the longer it takes to identify the breach, the more difficult this becomes.
The recent Banner Health breach was discovered nearly a month after the attack was initiated (it was started on June 17 and discovered on July 13), while the lesser known attack uncovered in April 2016 on the Bay Area Children's Association in Oakland, California was a result of malware installed sometime in January 2015—the breach thus took nearly 18 months to discover.
While not a healthcare provider, the infamous Anthem Health insurance attack last year (identified in late February 2015 after suspected intrusion in early December 2014), made its name because of the dramatic size of the number of consumers affected by the breach.
So how can we reduce latency and better equip healthcare organizations when their networks are inevitably penetrated? Here are a few places to start:
- Build a strong security team. Nothing can replace a well-trained, well-staffed team of security experts in house. If the budget doesn’t support a full staff, ensure the lean team is smart and savvy when it comes to security.
- Take advantage of external resources. If building an internal team isn’t possible, a managed security services provider (MSSP) is the next best thing. An MSSP is extremely helpful when struggling with resources, as it can remove the complexity and can provide a better way of monitoring security. This is less about the deployment of technology and more about learning how to use it effectively to leverage the important information that comes out of so that it’s actionable.
- Encrypt data. When the inevitable breach happens, encrypted data will throw a wrench in the attacker’s momentum. The good news is that the use of encryption is becoming more prevalent in healthcare. Another recent Ponemon study showed that 535 IT professionals interviewed ranked encryption of data at rest and encryption of data in motion as the second and third most important tools for achieving their security objectives.
- Find a monitoring solution. To really cut down on latency issues, there needs to be real-time visibility and monitoring. The security team needs to not only know what the attacker is doing, but they also need a better picture and clearer understanding of what the overall threat landscape looks like within a network. This will ultimately lead to better protection in the future and a more strategic approach to overall cybersecurity technology deployment.
Defending against targeted healthcare industry attack campaigns is essential, but those organizations willing to commit long-term to that goal and have multiple security models from which to extrapolate, as well as new technology that is architected to specifically to help companies detect, analyze and respond to will be the most successful in reducing latency and better protecting their organizations.