Why machine learning isn’t a cure-all to improve security
Hospitals and other healthcare providers continue to be prime targets for hackers, and as providers increasingly depend on the constant flow of information through their systems, the potential negative effects of attacks loom larger in 2018.
In addition to the substantial financial costs associated with cyberattacks, security breaches frequently disrupt critical medical services—a major problem when hospitals get attacked is that patient record systems can go down or become encrypted. When that happens, doctors are forced to revert to taking and circulating patient notes by hand. They may not be able to access important information regarding patient history, medications, test results and more.
With the threat of and severity of attacks becoming more damaging than ever, healthcare organizations are increasingly looking for new security solutions that can better protect them. While many security vendors claim their protection now incorporates machine learning, in many cases they’re likely to be providing is an updated version of the same file-scanning antivirus solution they’ve been offering for years.
Meanwhile, tech-savvy healthcare providers are looking for something beyond a better antivirus mousetrap. It’s important to clear up some ambiguity currently surrounding machine learning capabilities and security approaches at healthcare organizations.
Machine learning is not a form of protection. In truth, machine learning is a tool that helps inform how existing protection operates by enabling data analysis that is more in-depth and accurate than what can be accomplished manually. This confusion can often be linked back to inaccurate marketing language about machine learning capabilities.
Machine learning models are also only as good as the data they analyze, meaning that strong protection depends on frequent, rigorous re-training of the model with data that has high fidelity to the real world. The more limited the data—in terms of quantity, quality and currency—the lower the model’s ceiling for providing accurate results.
Applying machine learning to file-scanning antivirus solutions won’t stop fileless attacks. Up to this point, the most common use of machine learning from a security perspective is to speed up the analysis of files to determine whether they are malicious. While that is an efficient way to identify and block file-based malware, it doesn’t help thwart advanced or “fileless” attacks that leverage exploits or scripts.
A more effective approach is to broaden the use of machine learning to analyze system activity in addition to files. That way, solutions can predict whether any particular combination of system calls and commands indicate an attempted attack in progress. By analyzing system behavior in this way security solutions can provide an essential second line of defense against attacks that file-scanning alone can’t detect.
Organizations don’t need to choose between strong protection and high false positive rates. Because they operate in an industry where disruption can literally be a matter of life and death, healthcare IT professionals can’t afford to have security products blocking legitimate programs or triggering false positives.
The general misconception, however, is that false positives are a necessary evil in the pursuit of strong security. On one end of the spectrum, there is the strongest protection and more false positives; at the other end, there are fewer false positives and a corresponding reduced level of protection.
Based on this assumption, many organizations resort to the expensive, labor-intensive and only partially effective strategy of managing whitelists and blacklists to adjust for protection that either blocks legitimate software or lets malicious software through. This approach doesn’t fix the underlying problem; it just creates a burden of endless new rules that require manual application and upkeep. Responsive machine learning models replace the need for these manual lists, however.
As machine learning gains wider adoption, it’s crucial for healthcare providers to develop a better understanding of how the technology can help them better protect their data from rapidly evolving threats. Doing so will help them distinguish between security solutions that are applying machine learning to old approaches, and those that are using machine learning in more innovative ways to provide them with the accuracy, coverage, and certainty they need from their security.