Welcome!

@CloudExpo Authors: Yeshim Deniz, Liz McMillan, Pat Romanski, Kevin Benedict, Elizabeth White

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Blog Post

Prescribing Good to Find Bad Activity on Health Networks | @CloudExpo #Cloud #MachineLearning

In today’s challenging security world, it’s important to understand that attackers regularly target healthcare networks

The hype around data breaches in the health industry may seem commonplace and cause complacency. Last year, it was Anthem and Premera Blue Cross suffering attacks affecting nearly 90 million people combined. Among others, last month it was Banner Health - a nationwide health system based in Arizona - which reported a cyberattack affecting 3.7 million patients and customers.

This month the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) levied a $5.5M fine on Advocate Health Care Network, the highest penalty to date on a health care organization having a data breach that caused a violation of HIPAA. The fine is in addition to the other costs and damages facing Advocate Health Care Network.

In today's challenging security world, it's important to understand that attackers regularly target healthcare networks and, more specifically, Personally Identifiable Information (PII) and associated medical data. But could it really happen to your network, if you have the latest perimeter security installed?

The answer is unfortunately "yes." With enough motivation, a cybercriminal will target your health network and likely infiltrate it. History shows there is plenty of motivation to attack an organization in healthcare than any other market. According to a report from Trend Micro that analyzes cyberattack data over ten years, healthcare is the most attacked industry, with the greatest number of data breaches.

Protected Health Information (PHI) has an excellent resale value for cybercriminals, generating as much as ten times the value of other Personally Identifying Information (PII) or credit card details. Breach costs are $363 for each stolen healthcare record - the highest cost of any vertical market - according to a recent Ponemon Research report. Those costs will likely be higher with additional penalties, loss of business and reputation and other punitive damage.

Once a cybercriminal wants in, there is only the smallest fraction of a chance that they will be stopped over the long haul. No health network is 100 percent protected. Perimeter security might deflect 95 percent or higher of intrusion attacks, but complete protection is impossible. For example, penetration ("pen") testers are used by organizations to test their security. The best pen testers guarantee that they can break into a network within a couple of days, simply because there are far too many ways to find an unsecure path to the internal network.

These days hackers are so creative that installation of malicious software does not even require a user to click on anything, as drive-by installers are becoming commonplace. Malware may not even be involved in the attack, since there are thousands of ways to gain credentialed access to a health network. With an almost unlimited number of opportunities, attackers clearly have the advantage. If health organizations fail only once, they have lost the battle.

Once inside a health network, an attacker can stay completely hidden to do their work since very few healthcare organizations have the ability to detect an attacker in their network. Some tools may uncover signs of an attacker, but these alerts get buried under hundreds or thousands of other alerts, mostly deemed false positives. Security systems are notoriously inefficient and inaccurate since they warn about the never-ending presence of malware and each movement of a potentially suspicious activity. As a result, it would take sheer luck to detect a real network attacker amidst the thousands of alerts.

Searching for malware will reduce threats that may leak through perimeter security, but it will rarely uncover the activities of an attacker. The only way to find an attacker is to consider a different approach to security. Instead of looking for the technical attributes or artifacts of malware and other exploits, you must focus on the attacker's actions to quickly and accurately detect an active attacker in health organizations. Look for the activities they must do by necessity once they are in a new network that is unfamiliar to them to accomplish their objectives.

An attacker needs to explore the new network to discover and gain access to valuable information. They also need to move laterally across the network to work their way to assets they can commandeer. These attack activities are difficult to detect unless you know what "good" activities look like on your network. This "knowledge of good" comes from continuously profiling all users and devices, and learning their normal activities and habits. Once a baseline of good is established, the anomalous activities can be detected to determine those most likely to be "bad" or malicious.

Advanced machine learning makes this possible. Using a model of known good makes it possible to find the bad. These new techniques of using good to detect the activities of an attacker are emerging but are still not well known. Unfortunately, most health organizations seem stuck in the mentality of preventative security. It's been the focus for health IT teams for the past 20 years, and old habits die hard.

Most health IT people acknowledge that preventative security is not effective, and they realize that attackers get into networks. The FBI and Gartner both fully agree. Despite this, these IT pros focus on finding the latest technological improvement, hoping to finally make their networks fully secure. This gulf between admitting one thing and acting a completely different way is not the method to solve this problem.

The odds are extremely high that you won't be able to detect the attack until theft or damage has already occurred. The average for "dwell time," or the amount of time it takes network attackers to be found, is five months. Some take far longer, and the attacker quietly steals completely unnoticed. These cases might include a slow, methodical theft of Protected Health Information (PHI), or private health organization data. Others might involve using credentialed access from your health network to access the network of a partner, supplier or affiliated clinic.

The seriousness in the health industry remains very real. Fortunately, there are solutions being deployed that address these threats. A new approach focusing on known good is the prescription for health organizations to finally fend off network attackers and avoid costly breaches.

More Stories By David Thompson

David Thompson serves as the Senior Director of Product Management for LightCyber, responsible for assessing customer and market requirements, conducting sales and channel training and enablement, market education, and overall solution definition. He has been with LightCyber since late 2014.

Mr. Thompson has over 15 years of experience focused on information security. Prior to joining LightCyber, he served in Product Management leadership positions for OpenDNS, iPass, Websense, and Voltage Security (now HP). Prior to running product management at Voltage Security, he was a Program Director at Meta Group (now Gartner) responsible for security research topics including encryption, PKI, remote access, and secure network design. He holds a bachelors of science in Physics from Yale University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
"DX encompasses the continuing technology revolution, and is addressing society's most important issues throughout the entire $78 trillion 21st-century global economy," said Roger Strukhoff, Conference Chair. "DX World Expo has organized these issues along 10 tracks with more than 150 of the world's top speakers coming to Istanbul to help change the world."
"We focus on SAP workloads because they are among the most powerful but somewhat challenging workloads out there to take into public cloud," explained Swen Conrad, CEO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - we've lost control, we've given up cost to a certain extent, and then security, flexibility," explained Steve Conner, VP of Sales at Cloudistics,in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We are focused on SAP running in the clouds, to make this super easy because we believe in the tremendous value of those powerful worlds - SAP and the cloud," explained Frank Stienhans, CTO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"Peak 10 is a hybrid infrastructure provider across the nation. We are in the thick of things when it comes to hybrid IT," explained , Chief Technology Officer at Peak 10, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I think DevOps is now a rambunctious teenager – it’s starting to get a mind of its own, wanting to get its own things but it still needs some adult supervision," explained Thomas Hooker, VP of marketing at CollabNet, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We are still a relatively small software house and we are focusing on certain industries like FinTech, med tech, energy and utilities. We help our customers with their digital transformation," noted Piotr Stawinski, Founder and CEO of EARP Integration, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We've been engaging with a lot of customers including Panasonic, we've been involved with Cisco and now we're working with the U.S. government - the Department of Homeland Security," explained Peter Jung, Chief Product Officer at Pulzze Systems, in this SYS-CON.tv interview at @ThingsExpo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution and join Akvelon expert and IoT industry leader, Sergey Grebnov, in his session at @ThingsExpo, for an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
Any startup has to have a clear go –to-market strategy from the beginning. Similarly, any data science project has to have a go to production strategy from its first days, so it could go beyond proof-of-concept. Machine learning and artificial intelligence in production would result in hundreds of training pipelines and machine learning models that are continuously revised by teams of data scientists and seamlessly connected with web applications for tenants and users.
"We're here to tell the world about our cloud-scale infrastructure that we have at Juniper combined with the world-class security that we put into the cloud," explained Lisa Guess, VP of Systems Engineering at Juniper Networks, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I will be talking about ChatOps and ChatOps as a way to solve some problems in the DevOps space," explained Himanshu Chhetri, CTO of Addteq, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We are an IT services solution provider and we sell software to support those solutions. Our focus and key areas are around security, enterprise monitoring, and continuous delivery optimization," noted John Balsavage, President of A&I Solutions, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...
The financial services market is one of the most data-driven industries in the world, yet it’s bogged down by legacy CPU technologies that simply can’t keep up with the task of querying and visualizing billions of records. In his session at 20th Cloud Expo, Karthik Lalithraj, a Principal Solutions Architect at Kinetica, discussed how the advent of advanced in-database analytics on the GPU makes it possible to run sophisticated data science workloads on the same database that is housing the rich...
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...
"We want to show that our solution is far less expensive with a much better total cost of ownership so we announced several key features. One is called geo-distributed erasure coding, another is support for KVM and we introduced a new capability called Multi-Part," explained Tim Desai, Senior Product Marketing Manager at Hitachi Data Systems, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
There is a huge demand for responsive, real-time mobile and web experiences, but current architectural patterns do not easily accommodate applications that respond to events in real time. Common solutions using message queues or HTTP long-polling quickly lead to resiliency, scalability and development velocity challenges. In his session at 21st Cloud Expo, Ryland Degnan, a Senior Software Engineer on the Netflix Edge Platform team, will discuss how by leveraging a reactive stream-based protocol,...
SYS-CON Events announced today that SkyScale will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. SkyScale is a world-class provider of cloud-based, ultra-fast multi-GPU hardware platforms for lease to customers desiring the fastest performance available as a service anywhere in the world. SkyScale builds, configures, and manages dedicated systems strategically located in maximum-securit...
DX World EXPO, LLC., a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.