nline attackers are keen to steal healthcare data or hold it for ransom for a simple reason—the return on investment. That’s one reason why healthcare firms are one of cyber criminals’ favorite target. In 2017, a typical healthcare organization suffered an average of 32,000 intrusion attacks per day, compared to 14,300 per day at organizations in other industries. Personal health information is 50 times more valuable on the black market than financial information, according to Cybersecurity Ventures, and stolen patient health records fetch upwards of $50 per record (10 to 20 times more than credit card information).
One big cause: Healthcare security teams unintentionally leave gaps in online security by not implementing security tools which, while important, might slow or block the flow of medical data that clinicians need at a moment’s notice. That’s a scary scenario for patients and clinicians, who are caught between the need to maintain access to critical-care machines and data, while also pushing back against hackers intent on making a quick buck.
In 2017, a typical healthcare organization suffered an average of 32,000 intrusion attacks per day.
Attackers know healthcare’s weaknesses, and they regularly exploit them: In mid-2018, the electronic health record system at Cass Regional Medical Center in Harrisonville, Mo., was down for nearly a week following a ransomware attack.
To keep attackers from gaining the upper hand, healthcare security teams need to realize they don’t have to trade cybersecurity for patient safety. Healthcare organizations have traditionally not understood the threats that lurk in their networks, nor how to detect and block them. Automated and intelligent tools that use machine learning can shed light on how attackers gain entry to networks, and what they do once they’re inside—in a way that doesn’t impact patient care.
Below are three of the key challenges affecting healthcare’s ability to keep patient data secure and systems up and running—and how artificial intelligence (AI) can help address these challenges.
Challenge No. 1: Healthcare Is A Prime Target For Ransomware
Healthcare is a target-rich environment for hackers, especially those that deploy ransomware to seize control of critical systems and turn a quick profit (that is, by forcing a healthcare organization to pay a ransom to regain access to data). Attackers know healthcare data and systems are vital and also have security gaps to exploit. According to insurance organization Beazley, 37% of all ransomware incidents during the third quarter of 2018 were aimed at the healthcare industry. And Cybersecurity Ventures reports that ransomware attacks on healthcare organizations will quadruple by 2020.
No organization, healthcare included, can block all attackers. (As we say in security, it’s not if attackers will get inside, it’s when.) Segmenting networks, or walling off sections of data, can minimize the impact of a ransomware attack: If ransomware perpetrators do get into a network, at least you’re limiting potential damage.
Another way to block attackers is by protecting endpoints like laptops and tablets. Attackers often gain entry by fooling people into clicking on links to malware in emails or on websites. You can train workers to look out for the hallmarks of phishing emails (such as typos), but humans will inevitably fall victim to clever fake messages. Once a worker unknowingly clicks on a link, the ransomware malware can get to work.
A better approach is to use AI-based security solutions that can generate insights from data in a way that even a massive workforce could not do manually. As we discuss in the Cisco 2018 Annual Cybersecurity Report, machine learning helps security professionals detect not only “known-known” threats (malware and infections that have been seen before), but also “known-unknown” threats (variations on previously detected attacks), and “unknown-unknown” threats (completely new attacks). Automation can identify unusual patterns in network traffic, and automatically alert security teams to anomalies that need to be investigated.
Challenge No. 2: Clinicians Fear Impact On Critical Care
In healthcare, cyberattacks truly strike fear into the hearts of the C-suite, because they threaten the industry’s mission to provide continuity of care and could put lives at risk. This is why healthcare organizations are hesitant to install security systems such as two-factor authentication or intrusion prevention that might slow or block access to critical data. In a recent Cisco survey of security professionals, we found that healthcare is somewhat less likely than other industries to implement a full range of security.
For example, radiology systems usually do not have embedded antivirus or antimalware solutions since scanning very large files would take a long time to scan and could disrupt patient care by making the image library unavailable. Other critical medical devices are built to accept only the simplest type of electronic inquiry and could be knocked offline by scanning.
By using machine learning to conduct behavioral analysis of network activity, security teams can see what’s happening within traffic to and from critical machines. This “pervasive visibility” approach is better than applying defenses that might slow data to a crawl. With the help of AI, security teams can learn over time where and how attackers try to gain entry. The teams can automatically block some traffic when it’s an easy call, like an infusion pump that’s connecting to Amazon.com—a likely sign of malware at work, because that’s not typical behavior.
Alternately, security teams can use alerts from automated systems to make incident-by-incident decisions about when and where to block traffic, depending on how a device is used and who’s using it. Online access to a nursing-station computer that’s devoted to recordkeeping and not critical care can be safely blocked automatically; but another computer workstation in the emergency room, deemed more critical, would deserve special attention from the security team.
Challenge No. 3: The Attack Surface Is Growing
Connected healthcare systems gather data from wearable devices and patient communication and billing platforms. Patients can now access their health records online and pay bills, while doctors can access data from personal medical devices, like glucose monitors, to gauge patients’ health outside of in-person visits. As healthcare data becomes digitized and the volume of data increases, the attack surface becomes much larger and, therefore, there are more ways for online attackers to gain entry to networks. That’s a match made in heaven for the ransomware attacks favored by online attackers these days.
Network segmentation, discussed above, can play a part in decreasing the attack surface and minimizing the “blast radius” of a threat. So can pervasive visibility, which can monitor and analyze behavior with the help of AI, even as these networks become larger and larger. But a particular challenge within healthcare is that the attack surface is mobile. Infusion pumps are rolled from patient to patient; doctors and nurses carry laptops and tablets to and from exam rooms to emergency rooms and offices.
Intelligent network analytics can define “profiles” of devices and decide if they’re behaving as they should—that is, they exhibit the “known good” values we want to see. Based on those values, the network analytics system can decide that the device should only operate on certain network segments, and should only “talk” to desired systems. Once that device starts going rogue and communicating with other systems, AI-driven systems can alert security teams of the anomalies.
Gaining Visibility Into Attacker Behavior With AI
Modern security is about detecting the behavior of attackers once they get into networks, not just blocking them from getting in, something that’s increasingly difficult to do. This is where machine learning really earns its keep because it can detect anomalous behavior, such as logins from unusual locations, in large and constantly changing data sets.
Online attackers are quick to find opportunities for generating income. The issue for healthcare is to operate a little bit faster than the bad guys—or at least, keep pace with them—so that these opportunities become rare and attackers move on.