Guest post by David Thompson, senior director, product management, LightCyber.
A targeted data breach is one of the most vexing problems facing healthcare organizations today. Just in the first three months of 2015 alone, 99 million patient healthcare records were compromised—that’s about one-third of the entire U.S. population, and those are just the ones we know about. According to some sources, 90 percent of healthcare organizations have already been breached, but we aren’t sure which ones.
The cybercriminals behind a targeted data breach do not want to be exposed—and make no mistake, these breaches are run by people, not autonomous software. Unlike the hackers of earlier days, these operatives want to stay hidden and conduct their work in secret. Even if they have successfully completed their initial goals—let’s say exfiltrate patient medical records—a cybercriminal team will likely want to stay undiscovered to continue to steal more data as it is collected, or leverage this access to break into another company. Often this will involve commandeering valid credentials from the first organization to gain access to another, perhaps a partner healthcare organization, an insurance company, an independent lab or some other entity.
The simple truth is that most healthcare organizations lack the means to detect an active data breach. First, let me define a data breach, since there is so much confusion over the term. A breach is the entire process—from initial network penetration through data exfiltration— cybercriminals go through to achieve their goals.
Often a breach is perceived as only the initial penetration into the network or infection of a machine. This one act is over in an instant, but it is the focus of considerable security resources. In other words, a large proportion of security resources are devoted to preventing single step in the breach process that lasts less than a minute, but is only the first step toward a goal.
Also, initial penetration is not as easy to spot and block as you might guess. Since the way into the network may be accomplished through the use of valid credentials acquired through social engineering or clever spear phishing, detecting the intrusion can be difficult. Effective prevention of intrusions is based on use of statically defined descriptions of software code or behavior (signatures and hashes), so it is successful mainly when known malware is used to conduct a breach. So, preventing an intrusion has a marginal success rate, but it is often seen as the last change an organization has in defeating a targeted breach.
Once an attacker is inside the network, most organizations lack the ability to find them. At the same time, an attacker is inherently at a disadvantage, having landed inside an unfamiliar network. This disadvantage is quickly dissipated since they can often go completely undetected for weeks, months or even longer. The industry average dwell time is around six months, plenty of time for an attacker to explore a network and get at assets.
Why is it that organizations are seemingly powerless to find an active data breach once an intruder has penetrated a network? There are four main reasons.